github.com/fafucoder/cilium@v1.6.11/CHANGELOG.md (about) 1 # Changelog 2 3 ## v1.6.11 4 5 Summary of Changes 6 ------------------ 7 8 **Bugfixes:** 9 * bpf: Fix monitor aggregation for 'from-network' (Backport PR #12724, Upstream PR #12559, @joestringer) 10 * Fix manual endpoint regeneration via command line (Backport PR #12713, Upstream PR #12524, @christarazi) 11 * Fix regression to identity garbage collection due to identity allocation flag in cilium operator (#12496, @brb) 12 * Fix string slice type CLI arguments (Backport PR #12483, Upstream PR #12457, @JieJhih) 13 * Fix toGroups CRD to address validation errors (Backport PR #12483, Upstream PR #12440, @lbernail) 14 * Various etcd bug fixes (#12748, #12753, @tgraf) 15 16 **Misc Changes:** 17 * Adds documentation for limiting identity-relevant labels used when evaluating Cilium Identities (Backport PR #12713, Upstream PR #12517, @seanmwinn) 18 * backporting: Report progress in set-labels.py (Backport PR #12713, Upstream PR #12640, @pchaigno) 19 * Clarify egress policy rule documentation (Backport PR #12713, Upstream PR #12525, @joestringer) 20 * contrib: Add ability to pass suffix for branch (Backport PR #12483, Upstream PR #12351, @christarazi) 21 * contrib: fix branch check in `start-backport` script (Backport PR #12483, Upstream PR #12361, @Rolinh) 22 * contrib: include branch name in file generated by start-backport (Backport PR #12483, Upstream PR #10649, @Rolinh) 23 * contrib: Print PR number in set-labels.py (Backport PR #12724, Upstream PR #12704, @christarazi) 24 * contrib: Tighten search for list of PRs (Backport PR #12724, Upstream PR #12703, @christarazi) 25 * docs(identity): Correct discrepancy between label and descriptions (Backport PR #12713, Upstream PR #12639, @sayboras) 26 * docs(troubleshooting): Remove bugtool related step with --serve flag (Backport PR #12713, Upstream PR #12532, @sayboras) 27 * docs: add instructions for vX.Y helm charts (Backport PR #12483, Upstream PR #12291, @aanm) 28 * test: bump k8s libraries to 1.16.12 (#12420, @aanm) 29 * Tidy up backporting documentation (Backport PR #12483, Upstream PR #9560, @joestringer) 30 31 **Other Changes:** 32 * [v1.6] k8s: Fix CRD schema version to 1.15.1 (#12498, @joestringer) 33 * Dockerfile: Bump v1.6 runtime image to 2020-08-03 build (#12754, @joestringer) 34 35 ## v1.6.10 36 37 Summary of Changes 38 ------------------ 39 40 **Bugfixes:** 41 * endpoint: Fix data races while accessing GetIdentity() (Backport PR #12021, Upstream PR #11941, @tgraf) 42 * Fix bug where etcd session renew would block indefinitely, causing endpoint provision to fail (Backport PR #12341, Upstream PR #12292, @joestringer) 43 * Fix bug where identity allocation wouldn't cancel from api timeouts (Backport PR #12352, Upstream PR #12328, @joestringer) 44 * helm/operator: fix IPv6 liveness probe address for operator (Backport PR #12341, Upstream PR #12223, @Rolinh) 45 * ipcache: Fix deadlock when ipcache GC results in datapath reload (Backport PR #12021, Upstream PR #11950, @tgraf) 46 * iptables: Remove '--nowildcard' from socket match (Backport PR #12356, Upstream PR #12248, @jrajahalme) 47 * Istio integration has been updated to release 1.5.0. (Backport PR #12356, Upstream PR #10564, @jrajahalme) 48 * Istio integration has been updated to release 1.5.1, with backported fix for GKE/COS. (Backport PR #12356, Upstream PR #10730, @jrajahalme) 49 * Istio integration has been updated to release 1.5.2 (Backport PR #12356, Upstream PR #11280, @jrajahalme) 50 * Istio integration has been updated to release 1.5.4 (Backport PR #12356, Upstream PR #11530, @jrajahalme) 51 * Istio integration is updated to Istio release 1.5.6. (Backport PR #12356, Upstream PR #12214, @jrajahalme) 52 * Istio integration is updated to Istio release 1.5.7. (Backport PR #12356, Upstream PR #12353, @jrajahalme) 53 * Istio integration is simplified with Cilium build of istioctl. (Backport PR #12356, Upstream PR #10851, @jrajahalme) 54 * Stop Cilium from hanging on CNP or CCNP events from Kubernetes if running with 'k8s-event-handover=true' and 'kvstore=""' (Backport PR #12341, Upstream PR #12146, @aanm) 55 * Envoy is updated to release 1.13.2. (Backport PR #12017, Upstream PR #11973, @jrajahalme) 56 * The host proxy is updated to Envoy release 1.13.3 (Backport PR #12352, Upstream PR #12343, @jrajahalme) 57 58 **CI Changes:** 59 * Fix flakey assertion on metrics (Backport PR #12021, Upstream PR #11966, @christarazi) 60 * ginkgo-ext: Fix data-race in Writer (Backport PR #12341, Upstream PR #12025, @gandro) 61 * test: Add retries to curl command (Backport PR #12356, Upstream PR #11993, @christarazi) 62 * test: Download correct cilium-istioctl for the executing OS. (Backport PR #12356, Upstream PR #12109, @jrajahalme) 63 * test: Skip Istio test if Ginkgo runs on unsupported runtime. (Backport PR #12356, Upstream PR #11905, @jrajahalme) 64 65 **Misc Changes:** 66 * [v1.6] Dockerfile: Bump cilium-runtime image (#12370, @christarazi) 67 * k8s: update k8s libraries to v1.16.11 (#12207, @aanm) 68 * contrib/backporting: remove requires-janitor-review label (Backport PR #12341, Upstream PR #11986, @aanm) 69 * docs: point cilium docs into a stable version of sphinx theme (Backport PR #12040, Upstream PR #12010, @genbit) 70 * docs: re-design cilium docs theme (Backport PR #12040, Upstream PR #11803, @genbit) 71 * envoy: Include detail in NACK warning (Backport PR #12341, Upstream PR #12016, @jrajahalme) 72 * envoy: Reduce logging verbosity. (Backport PR #12017, Upstream PR #11349, @jrajahalme) 73 * envoy: Use TypedConfig for Envoy filters (Backport PR #12017, Upstream PR #9889, @jrajahalme) 74 * logo: change SVG file used for the logo (Backport PR #12040, Upstream PR #12002, @qmonnet) 75 * Use right schema when validating CCNP in pre-flight upgrade step (Backport PR #12346, Upstream PR #12106, @aanm) 76 77 ## v1.6.9 78 79 Summary of Changes 80 ------------------ 81 82 **Minor Changes:** 83 * Add "--iptables-lock-timeout" to configure iptables --wait parameter (Backport PR #11883, Upstream PR #11701, @joestringer) 84 * bump k8s dependencies and test to v1.16.9 (#11045, @aanm) 85 * bump k8s dependencies to v1.15.12 and v1.16.10 (#11681, @aanm) 86 * Properly tear down gops agent on shutdown (Backport PR #11883, Upstream PR #11471, @tklauser) 87 * Support DNS matchPattern="*" to match "." (Backport PR #11883, Upstream PR #11633, @joestringer) 88 89 **Bugfixes:** 90 * `identity does not exist` warning messages are not logged if the allocation attempt is not at max (Backport PR #11883, Upstream PR #11580, @djboris9) 91 * Avoid duplication of generated toCIDRs when using a toServices based CNP (or CCNP) (#11900, @aanm) 92 * bpf: Preserve source identity for hairpin via stack (Backport PR #11496, Upstream PR #10926, @tgraf) 93 * CRD: fix allocation logic of identities with the same set of labels (Backport PR #11411, Upstream PR #11040, @aanm) 94 * daemon: Fatal on startup when Identity CRD is enabled without k8s (Backport PR #11266, Upstream PR #11015, @raybejjani) 95 * datapath/iptables: Masquerade hairpin traffic that traversed the stack (Backport PR #11496, Upstream PR #10928, @tgraf) 96 * Do not depend on `KUBERNETES_SERVICE_HOST` nor `KUBERNETES_SERVICE_PORT` environment variables to detect if cilium is running in k8s mode (Backport PR #11266, Upstream PR #11021, @aanm) 97 * endpoint: Avoid transient drops during policy map update (Backport PR #11266, Upstream PR #10936, @jrajahalme) 98 * envoy: Take xds mutator lock for map access (Backport PR #11883, Upstream PR #11541, @jrajahalme) 99 * etcd: Increase status check timeout to 10 seconds (Backport PR #11883, Upstream PR #11750, @tgraf) 100 * Fix issue where traffic from a pod could be dropped despite allow policy when DNS L7 rules are used (Backport PR #11883, Upstream PR #11764, @joestringer) 101 * Fix leaking endpoint state metric (Backport PR #11933, Upstream PR #11884, @christarazi) 102 * Fix possible endpoint restore failure in CRD mode. (Backport PR #11266, Upstream PR #10785, @aanm) 103 * k8s: Defer marking node as ready to just API is served (Backport PR #11266, Upstream PR #10767, @tgraf) 104 * k8s: Do not send DeleteService event upon DeleteEndpoints (Backport PR #11496, Upstream PR #11467, @brb) 105 * Log more information for error 'Unable update CRD identity information with a reference for this node' (Backport PR #11266, Upstream PR #10923, @aanm) 106 * proxy: Do not decrement proxy port reference count when reverting. (Backport PR #11883, Upstream PR #11753, @jrajahalme) 107 * proxy: Keep DNS port allocated (Backport PR #11662, Upstream PR #11661, @jrajahalme) 108 * Setting the agent.sleepAfterInit helm chart value to True will correctly configure the agent to sleep after Init (Backport PR #11429, Upstream PR #11203, @seanmwinn) 109 * Tight CNP and CCNP schema validation for badly formatted policies (yaml or json) (Backport PR #11411, Upstream PR #10727, @aanm) 110 111 **CI Changes:** 112 * CI: K8sKafkaPolicyTest kafka-broker starts up without errors (Backport PR #10761, Upstream PR #10721, @raybejjani) 113 114 **Misc Changes:** 115 * [v1.6] Dockerfile: Bump cilium-runtime to latest image (#11627, @joestringer) 116 * backporting: add 'upstream-prs' tag for code block (Backport PR #10761, Upstream PR #10033, @aanm) 117 * bpf: remap MARK_MAGIC_SNAT_DONE marker to avoid conflicts (Backport PR #11496, Upstream PR #11008, @borkmann) 118 * Fix incorrect name in sysctl_linux_test.go (Backport PR #11266, Upstream PR #10729, @christarazi) 119 * make: pick up all privileged tests in `make tests-privileged` (Backport PR #10761, Upstream PR #10734, @tklauser) 120 * Makefile: Fix --yaml arg for microk8s (Backport PR #11883, Upstream PR #10839, @joestringer) 121 * policy: Fix rule translation test flake (Backport PR #11933, Upstream PR #11913, @joestringer) 122 * proxy: release redir.mutex on early exit, update a comment on mutex use (Backport PR #11883, Upstream PR #11666, @qmonnet) 123 * Retry on conflicts when creating/updating CiliumNode objects on agent startup (Backport PR #11908, Upstream PR #11673, @ashrayjain) 124 125 # v1.6.8 126 127 Summary of Changes 128 ------------------ 129 130 **Minor Changes:** 131 * Add option to retrieve pprof traces from running cilium-agents (Backport PR #10684, Upstream PR #10666, @aanm) 132 * Update k8s libraries to 1.16.8 (#10662, @aanm) 133 134 **Bugfixes:** 135 * Fix issue where lxc_config.h header disappears after some regenerations (Backport PR #10640, Upstream PR #10630, @joestringer) 136 * kubernetes: do not set enable-endpoint-health-checking=false with portmap (Backport PR #10684, Upstream PR #10566, @soumynathan) 137 * policy: Keep NameManager locked during SelectorCache operations (Backport PR #10532, Upstream PR #10501, @jrajahalme) 138 139 **CI Changes:** 140 * [CI] Replace jenkinsfiles with symlinks (Backport PR #10460, Upstream PR #10262, @nebril) 141 * test: Fix possible race in waitForNPods helper function (Backport PR #10499, Upstream PR #10481, @brb) 142 * update: fix preflight step in upgrade test (#10472, @aanm) 143 144 **Misc Changes:** 145 * Adds details about required kernel versions above 4.9.17, supported OS update (Backport PR #10684, Upstream PR #10537, @seanmwinn) 146 * Istio integration has been updated to Istio release 1.4.6 (#10469, @jrajahalme) 147 * test: Avoid using global map for Cilium configuration (Backport PR #10460, Upstream PR #10388, @brb) 148 149 # v1.6.7 150 151 Summary of Changes 152 ------------------ 153 154 **Minor Changes:** 155 * add option to hold cilium agent after init container (Backport PR #10135, Upstream PR #10101, @aanm) 156 * Do not listen on any port by default for cilium-operator (#10369, @aanm) 157 * Fallback mode for a missing `xt_socket` kernel module is added where kernel's IP early demux functionality is disabled. This fallback is enabled by default if it is needed for corre 158 ct policy enforcement and visibility functionality. This fallback may be disabled by setting `enable-xt-socket-fallback=false`. (Backport PR #10361, Upstream PR #10299, @jrajahalme) 159 * ServiceMonitor should default to release namespace (Backport PR #10135, Upstream PR #10088, @dsexton) 160 161 **Bugfixes:** 162 * AKS: Fix dynamic reconfiguration of bridge mode (Backport PR #10379, Upstream PR #10383, @tgraf) 163 * bpf: Fix proxy redirection for egress programs (Backport PR #10223, Upstream PR #10113, @tgraf) 164 * cilium: only enable IPv6 forwarding if IPv6 is enabled (Backport PR #10135, Upstream PR #9034, @jrfastab) 165 * Correct clustermesh identity sync kvstore backend usage (to actually use the remote) (Backport PR #10223, Upstream PR #10185, @raybejjani) 166 * doc: Fix AKS guide regression (Backport PR #10379, Upstream PR #10308, @tgraf) 167 * Envoy fixes for CVE-2020-8659, CVE-2020-8660, CVE-2020-8661, CVE-2020-8664 (Backport PR #10443, Upstream PR #10434, @jrajahalme) 168 * etcd: Fix gRPC load balancer issue (Backport PR #10379, Upstream PR #10381, @tgraf) 169 * Fix cilium-operator deadlock for clusters with more than 128 services (Backport PR #10127, Upstream PR #10010, @aanm) 170 * Fix concurrent access of a variable used for metrics (Backport PR #10223, Upstream PR #10137, @aanm) 171 * Fix memory corruption on clusters with IPv6 and NodePort enabled (Backport PR #10223, Upstream PR #10192, @aanm) 172 * Fix regression to avoid freeing alive IPs (Backport PR #10237, Upstream PR #10207, @tgraf) 173 * Fixups for Correct clustermesh identity sync kvstore backend usage (Backport PR #10291, Upstream PR #10243, @raybejjani) 174 * ipam: Protect release from releasing alive IP (Backport PR #10095, Upstream PR #10066, @tgraf) 175 * ipcache: Add probe to check for dump capability to support delete (Backport PR #10223, Upstream PR #10144, @tgraf) 176 * Make cilium bpf {ct, nat} {list, flush} to work when running in ipv6-only mode (Backport PR #10291, Upstream PR #10193, @brb) 177 * node: Remove permanent ARP entry when remote node is deleted (Backport PR #10361, Upstream PR #10227, @brb) 178 * pkg/bpf: Protect attr in perf_linux.go with runtime.KeepAlive (#10206, @brb) 179 * pkg/bpf: Protect each uintptr with runtime.KeepAlive (Backport PR #10267, Upstream PR #10168, @brb) 180 * pkg/endpoint: access endpoint state safely across go routines (Backport PR #10223, Upstream PR #10140, @aanm) 181 * policy: fix innermap's flag error in eppolicymap (Backport PR #10291, Upstream PR #10201, @zhiyuan0x) 182 183 **CI Changes:** 184 * test: Wait for Istio POD termination before deleting istio-system or cilium (Backport PR #10361, Upstream PR #10325, @jrajahalme) 185 186 **Misc Changes:** 187 * bpf: Fix space hack in Makefile (Backport PR #10223, Upstream PR #10173, @brb) 188 * bpf: remove unused GetProgNextID, GetProgFDByID and GetProgInfoByFD (Backport PR #10267, Upstream PR #10187, @tklauser) 189 * bugtool: Dump NAT BPF maps entries with bpftool (Backport PR #10223, Upstream PR #10190, @brb) 190 * charts: Generate versions from VERSION file (Backport PR #10223, Upstream PR #10171, @joestringer) 191 * doc: Adjust documentation to renamed cilium-sysdump tool (Backport PR #10361, Upstream PR #10165, @tgraf) 192 * doc: Document L7 limitation in azure-cni chaining mode (Backport PR #10223, Upstream PR #10131, @tgraf) 193 * doc: Fix links to contributing guide (Backport PR #10361, Upstream PR #10322, @CybrPunk) 194 * docs: fix link for Cilium-PR-Kubernetes-Upstream job (Backport PR #10223, Upstream PR #10178, @tklauser) 195 * Documentation: Lock dependency to fix build (Backport PR #10438, Upstream PR #10419, @Ropes) 196 * Fix dead link in 1.4->1.5 upgrade documentation (Backport PR #10443, Upstream PR #10416, @Ropes) 197 * fqdn: Avoid races when updating global cache on GC (Backport PR #10443, Upstream PR #9483, @raybejjani) 198 * golang: update to 1.12.17 (#10210, @aanm) 199 * helm: Allow disabling xt_socket fallback (Backport PR #10361, Upstream PR #10342, @brb) 200 * install: Support generating vX.Y-dev charts (Backport PR #10361, Upstream PR #10355, @joestringer) 201 * pkg/bpf: Fix KeepAlive usage for pathStr (Backport PR #10361, Upstream PR #10288, @brb) 202 * Update release process steps (Backport PR #10135, Upstream PR #10035, @aanm) 203 * Use -F flag in git log in check-stable script (Backport PR #10291, Upstream PR #10283, @nebril) 204 205 **Other Changes:** 206 * .github: update github-actions project (#10045, @aanm) 207 * [1.6] Fix CRI-O regression in the tree (#10412, @joestringer) 208 * [v1.6] wip run with race detector (#10130, @aanm) 209 * update k8s dependencies to 1.16.7 (#10216, @aanm) 210 211 # v1.6.6 212 213 Summary of Changes 214 ------------------ 215 216 **Minor Changes:** 217 * golang: update to 1.12.15 (#9874, @aanm) 218 * golang: update to 1.12.16 (#9987, @aanm) 219 220 **Bugfixes:** 221 * Fix to allocate a global identity for an empty container label-set. (Backport PR #9827, Upstream PR #9821, @borkmann) 222 * Enable IP forwarding on daemon start (Backport PR #9841, Upstream PR #8954, @mrostecki) 223 * eni: Fix releases of excess IPs (Backport PR #9962, Upstream PR #9858, @tgraf) 224 * cni: Fix IP leak when CNI ADD times out (Backport PR #9962, Upstream PR #9913, @tgraf) 225 * cni: Fix noisy warning "Unknown CNI chaining configuration" (Backport PR #9962, Upstream PR #9937, @tgraf) 226 * Fix cilium installation in GCloud beta "rapid" channel (Backport PR #10007, Upstream PR #9959, @joestringer) 227 * garbage collect stale distributed locks (Backport PR #10007, Upstream PR #9982, @aanm) 228 * fqdn: Support setting tofqdns-min-ttl to 0 (Backport PR #9753, Upstream PR #9743, @raybejjani) 229 230 **Misc Changes:** 231 * Add missing words to spelling_wordlist (Backport PR #9753, Upstream PR #9643, @ungureanuvladvictor) 232 * Fix GC Locks bugs (Backport PR #10007, Upstream PR #10005, @aanm) 233 * nodeinit/templates: fix indentation of sys-fs-bpf (Backport PR #10024, Upstream PR #10008, @aanm) 234 * v1.6: install: Update the chart versions (#9788, @joestringer) 235 236 **Other Changes:** 237 * update k8s tested versions to v1.14.10, v1.15.7 and v1.16.4 (#9870, @aanm) 238 * .github: Update actions to v1.6.6 project (#9775, @joestringer) 239 * Fix github actions 1.6 (#9781, @aanm)