github.com/kubearmor/cilium@v1.6.12/NEWS.rst (about) 1 ****** 2 NEWS 3 ****** 4 5 v1.6.6 6 ====== 7 8 :: 9 10 André Martins (12): 11 .github: rename github-actions file 12 .github: remove github actions integration 13 golang: update to 1.12.15 14 update k8s test versions to 1.14.10, 1.15.7 and 1.16.4 15 updating k8s to 1.16.4 16 test: fix k8s upstream testing 17 golang: update to 1.12.16 18 garbage collect stale distributed locks 19 operator: fix getOldestLeases logic 20 kvstore/allocator: fix GCLocks unit tests 21 kvstore/allocator: test for stale locks before acquiring lock 22 nodeinit/templates: fix indentation of sys-fs-bpf 23 24 Daniel Borkmann (1): 25 identity: require global identity for empty labels 26 27 Joe Stringer (3): 28 .github: Update actions to v1.6.6 project 29 install: Update the chart versions 30 helm: Make nodeinit systemd mountpoint conditional 31 32 Michal Rostecki (1): 33 daemon: Enable IP forwarding on start 34 35 Thomas Graf (4): 36 cni: Fix noisy warning "Unknown CNI chaining configuration" 37 eni: Fix releases of excess IPs 38 ipam: Add ability to release IPs by owner name 39 cni: Release IP even when endpoint deletion fails 40 41 Vlad Ungureanu (1): 42 Add missing words to spelling_wordlist 43 44 45 46 v1.6.5 47 ====== 48 49 :: 50 51 André Martins (4): 52 .github: add github actions to cilium 53 pkg/workloads: sleep 500ms before reconnecting to containerd 54 update golang to 1.12.14 55 Dockerfile runtime: add python3 dependency 56 57 Ifeanyi Ubah (1): 58 pkg/endpoint: delete _next directories during restore 59 60 Jarno Rajahalme (4): 61 envoy: Update to release 1.12 with Cilium TLS support 62 envoy: Update to release 1.12.1 63 Dockerfile: Use Envoy image that always resumes NPDS 64 envoy: Update to 1.12.2 65 66 John Fastabend (1): 67 cilium: encryption bugtool should remove aead, comp and auth-trunk keys 68 69 Maciej Kwiek (4): 70 Add ApplyOptions 71 add Force to Apply and use it in cilium install 72 Move missed kubectl apply calls to `Apply` calls 73 Add nil check for init container terminated state 74 75 Martynas Pumputis (2): 76 k8s: Use ParseService when comparing two services 77 daemon: Decrease log level for svc not found msg 78 79 Sebastian Wicki (1): 80 k8s: Fix typo in io.cilium/shared-service annotation 81 82 Thomas Graf (2): 83 doc: Fix AKS installation guide 84 doc: Disable masquerading in all chaining guides 85 86 87 88 v1.6.4 89 ====== 90 91 :: 92 93 André Martins (20): 94 pkg/k8s: consider node taints as part of node equalness 95 go: bump golang to 1.12.12 96 update k8s to 1.13.12, 1.14.8, 1.15.5 and 1.16.2 97 vendor: update k8s dependencies to 1.16.2 98 golang: update to 1.12.13 99 pkg/k8s: fix toServices policy update when service endpoints are modified 100 docs: clarify usage of bpf fs mount 101 pkg/policy: show error if user installs a L7 CNP with L7 proxy disabled 102 pkg/endpoint: do not runIPIdentitySync is not running with kvstore 103 k8s/endpointsynchronizer: re-fecth CEP in case of update conflict 104 pkg/endpoint: start RegenerationFailureHandler after assign epID 105 k8s/watcher: refactor code to generate k8s services 106 pkg/k8s: fix service update bug fix 107 operator: do not rm kube-dns pods if unmanaged-pod-watcher-interval == 0 108 aws/eni: do not resync node if semaphore Acquire fails 109 test/provision: update k8s test versions to 1.14.9 and 1.15.6 110 k8s: update k8s to v1.16.3 111 Revert "accesslog: Add support for missing and rejected headers." 112 Revert "Envoy: Use CLUSTER_PROVIDED loadbalancer type." 113 Revert "envoy: Update to release 1.12 with Cilium TLS support" 114 115 Dan Sexton (1): 116 Added chart value for etcd-operator cluster domain 117 118 Daniel Borkmann (31): 119 cilium: add OpenOrCreateUnpinned helper for Cilium maps 120 cilium: probe and enable LPM map in prefilter 121 cilium: add new probe package for BPF kernel feature probes 122 cilium: dump warning when using prefilter but without full lpm support 123 cilium: add prefilter delete method to openapi 124 cilium: re-implement broken delete handler for prefilter 125 bpf, probe: add probe for larger insn/complexity limit 126 bpf, nat: bump collision retries on newer kernels 127 bpf: remove deterministic retries on lru 128 bpf: use random offset in port range and walk from there 129 bpf: let nat signal potential congestion to cilium agent 130 cilium: change CT GC sleep into a wakeup from select timeout 131 cilium: add Mute/Unmute function for perf RB 132 cilium: add signal package for handling BPF datapath signals 133 cilium: one page for signal RB is enough in config 134 cilium: log error to agent log when signal RB has timeout 135 cilium: swap RegisterChannel with SetupSignalListener 136 cilium: change channel type to proper signal.SignalData 137 cilium: add metrics collection for signal package 138 bpf: remap punt to stack so we properly recircle into bpf_netdev 139 bpf: remove optimization to bypass rev-snat as prep for external ip 140 bpf: fix tc-index bitfield wrt skipping nodeport 141 bpf: merge nat handling ranges for bpf nodeport 142 bpf: perform nodeport nat into full port range 143 bpf: enable direct bpf_netdev redirect when !netfilter 144 bpf: compile out bpf_lxc service lookup when host services enabled 145 bpf: remove force_range nat config parameter 146 bpf: fix nodeport insns over limit regressions in netdev/overlay progs 147 bpf: do not error out when punt to stack return from nat 148 bpf: always force egress nat upon nodeport requests 149 vendor: point vishvananda/netlink back to upstream 150 151 Deepesh Pathak (1): 152 cni: fix cni plugin error formatting when agent is not running 153 154 Ian Vernon (2): 155 bugtool: add `cilium node list` output 156 endpoint: regeneration controller runs with `RegenerateWithDatapathRewrite` 157 158 Jaff Cheng (2): 159 eni: Allow selecting subnet by Name tag 160 eni: Allow releasing excess IP addresses via option 161 162 Jarno Rajahalme (11): 163 manager: Wait for policy map changes to be done before waiting for the ACK 164 logfields: Add tag for cached xDS version. 165 envoy: Always use IstioNodeToIP function 166 Envoy: Track last ACKed version per proxy node 167 xds: Allow endpoints to wait for the current policy version to be acked 168 envoy: Do not force Network Policy updates 169 policy: Add unit tests 170 envoy: Remove 'force' argument from cache operations 171 Envoy: Use CLUSTER_PROVIDED loadbalancer type. 172 accesslog: Add support for missing and rejected headers. 173 policy: Keep cached selector references for L3-dependent L7 rules. 174 175 Jean Raby (1): 176 unmanaged kube-dns: Delete one pod per iteration 177 178 Joe Stringer (7): 179 docs: Fix clustermesh secrets namespace 180 endpoint: Clarify naming for identity resolution 181 endpoint: Run labels controller under ep manager 182 health: Fix handling of node update events 183 health: Fix up IP removal from health prober 184 health: Factor out getting the IPs to probe 185 health: Add some basic unit tests for adding nodes 186 187 John Fastabend (3): 188 cilium: bpf, fix undeclared ENCRYP_IFACE 189 cilium: encryption, increase initHealth RunInterval 190 cilium: encryption, better error reporting for multiple default routes 191 192 Laurent Bernaille (4): 193 Don't add route/xfrm state for internal IPs in subnet mode 194 Fix pre-allocate in the ENI documentation 195 Support null encrytion/auth 196 Add ipsec upsert logs in debug mode 197 198 Maciej Kwiek (1): 199 Pin kubectl version in ginkgo vms 200 201 Martynas Pumputis (10): 202 test: Add GetCiliumHostIPv4 helper 203 test: Extend NodePort BPF tests 204 docs: Fix typo 205 test: Add test for loopback service connectivity 206 datapath: Fix hairpin flow when ENABLE_ROUTING is disabled 207 k8s: Provision NodePort services for LoadBalancer 208 daemon: Disable L7 proxy with explicit flag 209 daemon: Enable FQDN proxy if --enable-l7-proxy is set 210 helm: Add global.l7Proxy.enabled param 211 docs: Fix ipvlan iptables-free gsg 212 213 Patrick Mahoney (1): 214 install: fix label used in ServiceMonitor to select cilium-agent 215 216 Ray Bejjani (4): 217 envoy: Update to release 1.12 with Cilium TLS support 218 fqdn: DNSCache LookupByRegex functions don't return empty matches 219 Docs: tofqdns-pre-cache is optional in preflight templates 220 fqdn: L3-aware L7 DNS policy enforcement 221 helm: Fix bug to disable health-checks in chaining mode 222 223 Swaminathan Vasudevan (1): 224 Fix kafka-v1.yaml file for compatibility 225 226 Thomas Graf (5): 227 agent: Add --enable-endpoint-health-checking flag 228 helm: Disable endpoint-health-checking when chaining is enabled 229 flannel: Disable endpoint connectivity health check 230 bpf: Don't perform L3 operation when ENABLE_ROUTING is disabled 231 iptables: Fix incorrect SNAT for externalTrafficPolicy=local 232 233 v1.6.3 234 ====== 235 236 :: 237 238 André Martins (5): 239 go: bump golang to 1.12.10 240 dockerfile.runtime: always run update when building dependencies 241 docs: update k8s supported versions 242 vendor: update to k8s 1.16.1 243 Revert "add PR #82410 patch from kubernetes/kubernetes" 244 245 Daniel Borkmann (1): 246 bpf: fix cilium_host unroutable check 247 248 Ian Vernon (1): 249 policy: remove checking of CIDR-based fields from `IsLabelBased` checks 250 251 Jarno Rajahalme (1): 252 envoy: Update image for Envoy CVEs 2019-10-08 253 254 Joe Stringer (6): 255 health: Configure sysctl when IPv6 is disabled 256 docs: Simplify microk8s instructions 257 vendor: Bump golang.org/sys/unix library revision 258 policy: Fix up selectorcache locking issue 259 monitor: Fix reporting the monitor status 260 bpf: Fix sockops compile on newer LLVM 261 262 Julien Balestra (1): 263 kvstore/etcd: always reload keypair 264 265 Laurent Bernaille (4): 266 Update netlink library (support for output-mark) 267 Use output-mark to use table 200 post-encryption and set different MTU for main/200 tables 268 Do not add policies/states for subnets 269 Fix IP leak on main if 270 271 Martynas Pumputis (2): 272 sysctl: Get rid of GOOS targets 273 sysctl: Add function to write any param value 274 275 Michal Rostecki (2): 276 sysctl: Add package for managing kernel parameters 277 k8s/endpointsynchronizer: Do not delete CEP on empty k8s resource names 278 279 Michi Mutsuzaki (1): 280 daemon: Populate source and destination ports for DNS records 281 282 Vlad Ungureanu (1): 283 Change kind of daemonset in microk8s-prepull.yml to apps/v1 284 285 v1.6.2 286 ====== 287 288 :: 289 290 André Martins (19): 291 update to k8s 1.16.0.rc.2 292 Makefile: simplify k8s code generation target 293 Makefile: avoid go modules when running k8s code generation 294 test: test against k8s 1.16 by default 295 dev VM: update k8s to v1.16.0-rc.2 296 test: disable non-working k8s upstream test 297 add PR #82410 patch from kubernetes/kubernetes 298 pkg/k8s: create custom dialer function 299 use common custom dialer to connect to etcd 300 test: bump k8s testing versions to 1.13.11, 1.14.7 and 1.15.4 301 charts/managed-etcd: bump cilium-etcd-operator to v2.0.7 302 Gopkg.* bump to k8s 1.16.0 303 test: test against k8s 1.16.0 304 dev VM: update to k8s 1.16.0 305 docs: fix aks guide 306 docs: fix proper nodeinit.enabled flag 307 plugins/cilium-cni: add support for AKS 308 docs: add akz and az to list of spelling words 309 docs/azure: wait for azure-vnet.json to be created 310 311 Boran Car (2): 312 Refactor probing to reuse client 313 Do not ping during preflight checks 314 315 Daniel Borkmann (1): 316 iptables: fix cilium_forward chain rules to support openshift 317 318 Deepesh Pathak (1): 319 daemon: fix container runtime disabled state log 320 321 Ian Vernon (6): 322 loader: remove hash from compileQueue if build fails 323 daemon: check error from `d.init()` 324 daemon: move directory setup into `SetUpTest` 325 daemon: do not delete directories created by tests if tests fail 326 endpoint: use endpoint ID for error message 327 endpoint: start a controller to retry regeneration 328 329 Jarno Rajahalme (2): 330 test: Add L3-dependent L7 test with toFQDN 331 endpoint: Update proxy policies when applying policy map changes out-of-band 332 333 Joe Stringer (3): 334 Dockerfile: Use latest iproute2 image 335 daemon: Start controller when pod labels resolution fails 336 test: Add a standalone test for validating static pod labels 337 338 John Fastabend (1): 339 cilium: encryption, replace Router() IP with CiliumInternal 340 341 Martynas Pumputis (3): 342 Revert "Revert "Remove componentstatus from rbac"" 343 docs: Update kubeproxy-free guide 344 docs: Do not pin cilium image vsn in kubeproxy-free guide 345 346 Ray Bejjani (4): 347 CI: increase timeouts by 30m to avoid k8s-1.10 test timeouts 348 endpoint: Expose Endpoint.ApplyPolicyMapChanges 349 policy: Expose map-update WaitGroup in FQDN update callchains 350 FQDN: Wait on policy map update when adding new IPs 351 352 Thomas Graf (1): 353 bpf: Don't delete conntrack entries on policy deny 354 355 v1.6.1 356 ====== 357 358 :: 359 360 André Martins (11): 361 install/kubernetes: do not add clustermesh documentation by default 362 bump k8s support to 1.15.3 363 bump manifests apiVersion to apps/v1 364 etcd: use ca-file field from etcd option if available 365 deps: update etcd to v3.4.0 366 Revert "test: wait for k8s external service in [kube|core]-dns" 367 Revert "test: add integration tests for k8s services with external IPs" 368 Revert "pkg/k8s: add k8s external IPs support" 369 Revert "pkg/k8s: test endpoints and service received by events channel" 370 Revert "pkg/k8s: add merge method to merge 2 set of endpoints together" 371 test: fix k8s upstream test 372 373 Boran Car (1): 374 Fix connectivity test example probes 375 376 Dan Wendlandt (1): 377 AKS getting started guide 378 379 Daniel Borkmann (16): 380 cilium: only start daemon's monitoring agent after base datapath setup 381 cilium: assert monitor agent is allowed to expose socket 382 docs: clarify nodeport and host-reachable services and 5.0.y kernel situation 383 cilium: silence harmless CILIUM_TRANSIENT_FORWARD warning on startup 384 cilium: fix restore v6 router ip to not break pod connectivity on restart 385 ipam: do not assign v4 addresses for status.IPV6 386 ipam: fix v6 address corruption in cilium status dump 387 k8s: replace NodePort frontend cilium_host IP with router addr 388 bpf: fix asymmetric routing and cilium_host connectivity in v6 tunnel mode 389 bpf: fix routing of cilium_host router ip and health in v6 tunnel mode 390 docs: fix typo and update kube-proxy free gsg 391 doc: minor additional tweaks to kube-proxy free gsg 392 bpf: usr prandom as slave selection in lb 393 bpf: remove unused args from slave selection code 394 bpf: add separate ct_service lifetime for tcp/non-tcp 395 cilium: make all ct timeouts configurable 396 397 Ian Vernon (1): 398 daemon: signal endpoint restore fail when waiting for global identities times out 399 400 Jarno Rajahalme (12): 401 iptables: Add explicit ACCEPT rules for host proxy traffic 402 test: Use global.tag in helm command line 403 test: Return the error in CmdRes.GetErr() 404 labels: Make Matches private 405 k8s: Use api.WildcardEndpointSelector instead of an endpoint label reserved:all 406 policy/api: remove Entity matching functions 407 policy/api: Add test case for EntityAll 408 envoy: Update to the latest API 409 datapath: probe socket match support, plumb to Envoy configuration 410 istio: Update to 1.2.5 411 test: Wait for at least one Istio POD to get ready 412 Dockerfile: Use latest Envoy image 413 414 Joe Stringer (17): 415 cilium: Support user-specified monitor socket 416 daemon: Disable BPF routing in endpoint routes mode 417 iptables: Refactor proxy socket redirect rule 418 iptables: Allow xt_socket match rules to fail 419 policy: Allow DNS policy on ports other than 53 420 docs: Update direct routing policy limitation 421 workloads: Fix disabled status reflection in API 422 test: Remove old Cilium versions 423 policy/api: Add tests for reserved:unmanaged match 424 test: Fix endpoint routes mode test 425 test: Add disabled test for tunnel+endpointRoutes 426 health: Prefer contacting health EP over IPv4 427 health: Fix endpoint routes mode 428 bpf: Skip ingress proxy ip rule with endpoint routes 429 cni: Fix disabling of routing in chaining mode 430 docs: Avoid mentioning deprecated option 431 test: Ensure managed etcd test tears down etcd 432 433 John Fastabend (8): 434 cilium: encryption, if IPv6 is not supported do not throw debug warning 435 cilium: pull ConfigureResourceLimits earlier in bootstrapping 436 cilium: encryption, throw hard error if map create fails 437 cilium: encryption, log MapUpdateContext failures 438 cilium: encryption, if encryptNode is disable release routes 439 cilium: add interface to neighborLog 440 cilium: encryption, delete encrypt-node routes if node is deleted 441 cilium: encryption, add host networking routes for encrypt-node 442 443 Maciej Kwiek (3): 444 Use proper helm value in CI clusters 445 Connection readiness of k8s client gets ns 446 Remove componentstatus from rbac 447 448 Martynas Pumputis (14): 449 test: Add SkipContextIf helper 450 test: Use SkipContextIf in Tests NodePort BPF 451 test: Get rid of unused skipIfDoesNotRunOnNetNext helper 452 helm: Add global.kubeConfigPath 453 docs: Document how to specify Flannel bridge name 454 helm: Allow to specify k8s api-server host and port via env vars 455 docs: Add kube-proxy free getting started guide 456 Revert "Remove componentstatus from rbac" 457 daemon: Lower kernel requirement for TCP host-lb 458 daemon: Specify exact kernel version in host-lb fatal log msg 459 docs: Update source branch in kube-proxy-free guide 460 test: Remove workaround to MASQ traffic from k8s2 461 daemon: Improve logging for auto-enabling host-lb 462 docs: Improve sysdump collection guide 463 464 Rajat Jindal (1): 465 cilium: update IsEtcdCluster to return true if etcd.operator="true" kv option is set 466 467 Ray Bejjani (4): 468 CI: decouple HTTP and DNS testing in K8sPolicyTest 469 CI: K8sPolicyTest tests local DNS only 470 tofqdns: Allow "_" in DNS names to support service discovery schemes 471 operator: Pass identity allocation mode through correctly 472 473 Rodrigo Chacon (1): 474 eni: update ENI limits mappings 475 476 Thomas Graf (6): 477 doc: Update minikube requirement to meet TPROXY requirements 478 operator: Fix passing kvstore options via arguments 479 nodeinit: Change network mode from bridge to transparent on Azure 480 k8s: Add initcontainer to wait for nodeinit to complete 481 doc: Add Azure CNI to CNI chaining section 482 clustermesh: Improve troubleshooting ability 483 484 gkontridze (1): 485 Docs: minor spelling corrections (Fixes #9127)