We are pleased to announce the release of Cilium v1.15.5.
This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling.
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
- envoy: Bump go version to 1.22.3 (#32413, @sayboras)
- labels: Add controller-uid into default ignore list (Backport PR #32103, Upstream PR #31964, @sayboras)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (Backport PR #32230, Upstream PR #32008, @darox)
- Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport PR #32384, Upstream PR #32155, @julianwiedmann)
- cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #32418, Upstream PR #32128, @gandro)
- cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #32384, Upstream PR #32244, @learnitall)
- dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #32230, Upstream PR #31999, @gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #32312, Upstream PR #32270, @jrajahalme)
- envoy: pass idle timeout configuration option to cilium configmap (Backport PR #32230, Upstream PR #32203, @mhofstetter)
- Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #32230, Upstream PR #32116, @julianwiedmann)
- Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport PR #31879, Upstream PR #31539, @giorio94)
- Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #32092, Upstream PR #31840, @julianwiedmann)
- Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport PR #32432, Upstream PR #31605, @christarazi)
- Fixes a bug where Cilium in chained mode removed the
agent-not-ready
taint too early if the primary network is slow in deploying. (Backport PR #32230, Upstream PR #32168, @squeed) - Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #32384, Upstream PR #30548, @squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #32103, Upstream PR #31959, @marseel)
- Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport PR #32178, Upstream PR #31646, @mhofstetter)
- ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #32230, Upstream PR #32099, @jasonaliyetti)
- loader: sanitize bpffs directory strings for netdevs (Backport PR #32103, Upstream PR #32090, @rgo3)
- Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. (#32005, @giorio94)
- tables: Sort node addresses also by public vs private IP (Backport PR #32103, Upstream PR #30579, @joamaki)
CI Changes:
- alibabacloud/eni: avoid racing node mgr in test (Backport PR #31967, Upstream PR #31877, @bimmlerd)
- ci: Filter supported versions of AKS (Backport PR #32384, Upstream PR #32303, @marseel)
- ci: Increase timeout for images for l4lb test (Backport PR #32230, Upstream PR #32201, @marseel)
- ci: Set hubble.relay.retryTimeout=5s (Backport PR #32230, Upstream PR #32066, @chancez)
- enable kube cache mutation detector (Backport PR #32230, Upstream PR #32069, @aanm)
- gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport PR #32384, Upstream PR #32347, @giorio94)
- gha: configure fully-qualified DNS names as external targets (Backport PR #32103, Upstream PR #31510, @giorio94)
- gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #32103, Upstream PR #32042, @giorio94)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #32103, Upstream PR #31958, @giorio94)
- route: dedicated net ns for each subtest of runListRules (Backport PR #32230, Upstream PR #29916, @mhofstetter)
- test: De-flake xds server_e2e_test (Backport PR #32103, Upstream PR #32004, @jrajahalme)
- workflows: Fix CI jobs for push events on private forks (Backport PR #32230, Upstream PR #32085, @pchaigno)
Misc Changes:
- bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport PR #32384, Upstream PR #29803, @julianwiedmann)
- build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #32230, Upstream PR #32176, @dependabot[bot])
- chore(deps): update all github action dependencies (v1.15) (#31954, @renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#32107, @renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#32366, @renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#31993, @renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#32238, @renovate[bot])
- chore(deps): update azure/login action to v2.1.0 (v1.15) (#31994, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) (#32365, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.15) (#31953, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to d83472f (v1.15) (#32257, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.15) (#32364, @renovate[bot])
- chore(deps): update go to v1.21.10 (v1.15) (#32417, @renovate[bot])
- chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) (#32396, @renovate[bot])
- chore(deps): update hubble cli to v0.13.3 (v1.15) (#32108, @renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#31821, @renovate[bot])
- CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #32230, Upstream PR #31866, @squeed)
- clustermesh: fix panic if the etcd client cannot be created (Backport PR #32384, Upstream PR #32225, @giorio94)
- docs: Add annotation for Ingress endpoint (Backport PR #32384, Upstream PR #32284, @sayboras)
- docs: add link to sig-policy meeting (Backport PR #32384, Upstream PR #32340, @squeed)
- docs: Clean-up Host Firewall documentation, list known issues (Backport PR #32384, Upstream PR #32267, @qmonnet)
- docs: Fix prometheus port regex (Backport PR #32230, Upstream PR #32030, @JBodkin-Amphora)
- Docs: mark Tetragon as Stable (Backport PR #31967, Upstream PR #31886, @sharlns)
- Document Cluster Mesh global services limitations when KPR=false (Backport PR #31967, Upstream PR #31798, @giorio94)
- endpoint: Skip build queue warning log is context is canceled (Backport PR #32230, Upstream PR #32132, @jrajahalme)
- Fix helm chart incompatible types for comparison (Backport PR #32230, Upstream PR #32025, @lou-lan)
- fqdn: Change error log to warning (Backport PR #32384, Upstream PR #32333, @jrajahalme)
- fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #32384, Upstream PR #32325, @nathanjsweet)
- golangci: Enable errorlint (Backport PR #31783, Upstream PR #31458, @jrajahalme)
- images: Update bpftool, checkpatch images (Backport PR #31896, Upstream PR #31753, @qmonnet)
- Improve release organization page (Backport PR #32103, Upstream PR #31970, @joestringer)
- install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport PR #32384, Upstream PR #32199, @aanm)
- install/kubernetes: update nodeinit image to latest version (Backport PR #32230, Upstream PR #32181, @tklauser)
- ipsec: Debug info for transient IPsec upgrade drops (Backport PR #32384, Upstream PR #32240, @pchaigno)
- l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #32260, Upstream PR #32200, @mhofstetter)
- Remove aks-preview from AKS workflows (Backport PR #32230, Upstream PR #32118, @marseel)
- Seamlessly downgrade bpf attachments from tcx to tc (Backport PR #32337, Upstream PR #32228, @ti-mo)
Other Changes:
- [1.15] images: update cilium-{runtime,builder} (#32444, @nebril)
- [v1.15-backport] Introduce fromEgressProxyRule (#31922, @jschwinger233)
- [v1.15] cilium-dbg: remove section with unknown health status. (#31905, @tommyp1ckles)
- [v1.15] proxy: skip rule removal if address family is not supported (#32007, @rgo3)
- envoy: Bump envoy version to v1.27.5 (#32077, @sayboras)
- envoy: Update envoy 1.27.x to 1.28.3 (#32149, @sayboras)
- fix k8s versions tested in CI (#31965, @nbusseneau)
- install: Update image digests for v1.15.4 (#31915, @asauber)
v1.15.5
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.5@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
docker-plugin
quay.io/cilium/docker-plugin:v1.15.5@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
hubble-relay
quay.io/cilium/hubble-relay:v1.15.5@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
quay.io/cilium/hubble-relay:stable@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.5@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3
quay.io/cilium/operator-alibabacloud:stable@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3
operator-aws
quay.io/cilium/operator-aws:v1.15.5@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9
quay.io/cilium/operator-aws:stable@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9
operator-azure
quay.io/cilium/operator-azure:v1.15.5@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522
quay.io/cilium/operator-azure:stable@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522
operator-generic
quay.io/cilium/operator-generic:v1.15.5@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
quay.io/cilium/operator-generic:stable@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
operator
quay.io/cilium/operator:v1.15.5@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3
quay.io/cilium/operator:stable@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3