Revision dda367ebfabca4c70780aa53c21c872500ca8967 authored by Quentin Monnet on 11 October 2022, 14:04:21 UTC, committed by Tam Mach on 11 October 2022, 20:46:52 UTC
Signed-off-by: Quentin Monnet <quentin@isovalent.com>
1 parent fb9bb0d
CHANGELOG.md
# Changelog
## v1.10.16
Summary of Changes
------------------
**Bugfixes:**
* daemon: avoid nil pointer dereference on invalid endpoint state (Backport PR #21469, Upstream PR #21449, @tklauser)
* daemon: Fix a nil dereference on cleanup when DNS proxy is not enabled (Backport PR #21469, Upstream PR #21365, @joamaki)
* Fix bug that can cause some traffic covered by an L7 policy to be dropped when IPsec is enabled on EKS. (Backport PR #21641, Upstream PR #21595, @pchaigno)
* Fix bug where traffic sent outside the cluster via ToFQDNs policy would be denied despite a policy that allows it (Backport PR #21563, Upstream PR #20721, @joestringer)
**CI Changes:**
* Remove Slack notifications (Backport PR #21469, Upstream PR #21239, @michi-covalent)
**Misc Changes:**
* bugtool: Dump envoy config for troubleshooting (Backport PR #21469, Upstream PR #21348, @sayboras)
* build(deps): bump 8398a7/action-slack from 3.13.2 to 3.14.0 (#21441, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.8 to 3.0.10 (#21555, @dependabot[bot])
* build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#21575, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.22 to 2.1.24 (#21340, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.24 to 2.1.25 (#21395, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.25 to 2.1.26 (#21515, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#21623, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#21424, @dependabot[bot])
* cmd/bpf: Log if no policy maps found (Backport PR #21469, Upstream PR #21429, @aditighag)
* contrib: avoid reviews from non-collaborators (Backport PR #21632, Upstream PR #21577, @bimmlerd)
* Fix a typo in the comment example (Backport PR #21469, Upstream PR #21402, @farcaller)
* helm: Fix post-start and pre-stop hooks for cilium-nodeinit on Ubuntu EKS images (Backport PR #21469, Upstream PR #20979, @dctrwatson)
* images: update cilium-{runtime,builder} (#21659, @qmonnet)
* ipcache: Fix lock leak (Backport PR #21563, Upstream PR #20833, @joestringer)
* ipsec: Fix slightly incorrect assumption in XFRM IN policies (Backport PR #21641, Upstream PR #21621, @pchaigno)
* ipsec: Refactoring around `UpsertIPsecEndpoint` (Backport PR #21632, Upstream PR #21461, @pchaigno)
* ipsec: Simplify XFRM FWD policies (Backport PR #21641, Upstream PR #21602, @pchaigno)
* ipsec: Simplify XFRM IN policies (Backport PR #21469, Upstream PR #21370, @pchaigno)
* makefile: use versioned Go container when formatting after api generate. (Backport PR #21469, Upstream PR #21254, @tommyp1ckles)
**Other Changes:**
* Aspsk/backports to v1.10 (#21485, @aspsk)
* install: Update image digests for v1.10.15 (#21307, @nebril)
## v1.10.15
Summary of Changes
------------------
**Minor Changes:**
* Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener (Backport PR #21221, Upstream PR #21127, @geakstr)
* dnsproxy: stop serving DNS traffic before agent shutdown (Backport PR #21221, Upstream PR #20795, @nebril)
* install: add TerminationMessagePolicy to cilium pods (Backport PR #21290, Upstream PR #21012, @squeed)
* put stderr of iptables command into error instead of merging into stdout (Backport PR #21138, Upstream PR #20895, @liuyuan10)
**Bugfixes:**
* datapath: allow local NodePort traffic for `eni+` container interfaces with CNI chaining (Backport PR #21221, Upstream PR #21126, @ti-mo)
* Fix conflicting routes for multiple ENIs in IPAM mode (Backport PR #21221, Upstream PR #20112, @recollir)
* ipcache/kvstore: fix panic when processing ip=<nil> entries (Backport PR #20937, Upstream PR #20706, @ArthurChiao)
* ipsec: Fix incorrect parsing of SPI from mark (Backport PR #20937, Upstream PR #20900, @pchaigno)
* k8s/watchers: fix panic in CiliumEndpoint labels update (Backport PR #21054, Upstream PR #20865, @jaffcheng)
* operator: do not GC kvstore nodes if CiliumNodes are not available (Backport PR #21221, Upstream PR #21133, @aanm)
* operator: update CiliumNode in kvstore without lease (Backport PR #21221, Upstream PR #21202, @tklauser)
* When systemd-sysctl sets the rp_filter sysctl, tolerate missing lxc_* / cilium_* interfaces. (Backport PR #21221, Upstream PR #21146, @julianwiedmann)
**CI Changes:**
* backport v1.10: test: Switch to kindest/node:v1.24.3 (#20920, @brb)
* Update wrk2 repository (#21159, @michi-covalent)
**Misc Changes:**
* add kvstore TTL flag in cilium-operator (Backport PR #21138, Upstream PR #21006, @NikhilSharmaWe)
* build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 (#21037, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.7 to 3.0.8 (#21021, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (#21046, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.0 to 2.1.18 (#20961, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 (#20987, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 (#21019, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 (#21090, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 (#21170, @dependabot[bot])
* Coalesce of health endpoint CIDRs (Backport PR #21221, Upstream PR #20848, @dezmodue)
* docs(bandwidth-manager): add note on per-pod limits (Backport PR #20937, Upstream PR #20916, @raphink)
* docs: fix check-crd-compat-table script (Backport PR #21290, Upstream PR #21208, @aanm)
* docs: Update ToServices docs section (Backport PR #21138, Upstream PR #21052, @joestringer)
* Document per-endpoint route requirement in aws-cni Helm snippet (Backport PR #21290, Upstream PR #21276, @ti-mo)
* Fix complaint about nil IP address on restore of cilium_host (Backport PR #20937, Upstream PR #20734, @christarazi)
* Improve CRD schema update automation during release process (Backport PR #20937, Upstream PR #20875, @joestringer)
**Other Changes:**
* Adding support for tracking instance hypervisor type in ENI limits pkg (#20929, @tommyp1ckles)
* install: Update image digests for v1.10.14 (#20926, @joestringer)
## v1.10.14
Summary of Changes
------------------
**Minor Changes:**
* add an option to wait for kube-proxy (Backport PR #20628, Upstream PR #20517, @michi-covalent)
* Add metric on number of requests rejected by DNS Proxy semaphore (Backport PR #20620, Upstream PR #20491, @rahulkjoshi)
**Bugfixes:**
* Add EndpointSlice support for clustermesh-apiserver (Backport PR #20838, Upstream PR #20697, @YutaroHayakawa)
* Fix ineffective post-start hook in ENI mode (Backport PR #20838, Upstream PR #20741, @bmcustodio)
* Fix parsing of string map command line options when more than one separator is present. (Backport PR #20838, Upstream PR #20673, @tklauser)
* helm: Guard apply sysctl init container (Backport PR #20838, Upstream PR #20643, @sayboras)
* iptables: handle case where kernel IPv6 support is disabled (Backport PR #20838, Upstream PR #20680, @jibi)
* pkg/k8s/version: Also set EndpointSlice when forcing version (Backport PR #20620, Upstream PR #20383, @joamaki)
* Fix bug where Cilium would crash on startup with an error about being unable to delete iptables rules. (Backport PR #20892, Upstream PR #20885, @jibi)
**CI Changes:**
* ci: fix code changes detection on `push` events (Backport PR #20838, Upstream PR #20685, @nbusseneau)
**Misc Changes:**
* build(deps): bump actions/cache from 3.0.5 to 3.0.6 (#20803, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.6 to 3.0.7 (#20871, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 (#20591, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 (#20802, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 (#20579, @dependabot[bot])
* Consider `$GO` environment variable `make precheck` checks (Backport PR #20838, Upstream PR #20750, @tklauser)
* contrib: Add CRD generation to release process (Backport PR #20838, Upstream PR #20564, @joestringer)
* daemon: Improve dnsproxy error when EP not found (Backport PR #20838, Upstream PR #20649, @joestringer)
* docs(masquerading): add missing "address" (Backport PR #20620, Upstream PR #20538, @raphink)
* docs: update etcd kvstore migration instructions (Backport PR #20838, Upstream PR #20624, @hhoover)
* Fix `subnet_id` label value being empty in IP allocation and interface creation in ENI IPAM metrics (Backport PR #20838, Upstream PR #20449, @wu0407)
* fqdn/dnsproxy: fix test build (Backport PR #20620, Upstream PR #20537, @tklauser)
* Optimize CIDR label functions (Backport PR #20620, Upstream PR #19843, @christarazi)
* pkg/k8s: do not wait for endpointslice cache sync in k8s >= 1.17 (Backport PR #20620, Upstream PR #20569, @aanm)
* pkg/k8s: set the right IP addresses in log messages (Backport PR #20838, Upstream PR #20757, @aanm)
**Other Changes:**
* install: Update image digests for v1.10.13 (#20560, @joestringer)
## v1.10.13
Summary of Changes
------------------
**Major Changes:**
* add support for AKS BYOCNI (Backport PR #20509, Upstream PR #19379, @nbusseneau)
**Minor Changes:**
* Add metric on datapath update latency due to FQDN IP updates (Backport PR #20330, Upstream PR #19992, @rahulkjoshi)
* IPSec key rotation without agent restart (Backport PR #20127, Upstream PR #19814, @jibi)
* v1.10: helm: disable the peer service by default (#20290, @rolinh)
**Bugfixes:**
* `node-init` now takes `enableIPv4Masquerade` into account on GKE. (Backport PR #20509, Upstream PR #19533, @bmcustodio)
* bpf: Fix typo in host firewall tail call (Commit https://github.com/cilium/cilium/commit/a8d84ac032c570c53c86150a54ecd5b3e96cefd7, @pchaigno)
* bug: Fixed a rare CiliumIdentity race deletion. (Backport PR #20330, Upstream PR #19936, @nathanjsweet)
* cilium: fix conflicting iptables-legacy and iptables-nft rules (Backport PR #20139, Upstream PR #20123, @jrfastab)
* Consider VPC's secondary CIDRs during cilium_host IP restoration (Backport PR #20395, Upstream PR #19341, @hemanthmalla)
* daemon: Fix issue where stale router IPs were not cleaned up (Backport PR #20509, Upstream PR #20389, @gandro)
* datapath: Fix security ID propagation in tunnel header for NodePort BPF forwarded requests (Backport PR #20327, Upstream PR #19061, @brb)
* Fix agent panic in some cases when service matcher local redirect policy was deployed prior to the selected service. (Backport PR #20179, Upstream PR #19522, @aditighag)
* Fix Azure IPAM 403 errors for Azure instances using Azure Compute Gallery images (Backport PR #20330, Upstream PR #19697, @andrew-bulford-form3)
* Fixed SystemD >=245 sysctl(`rp_filter`) config incompatibility (Backport PR #20232, Upstream PR #20072, @dylandreimerink)
* helm: Fix cluster-id arguments in clustermesh deployment (Backport PR #20330, Upstream PR #20312, @sayboras)
* ipsec: fix stale keys reclaim logic (Backport PR #20127, Upstream PR #19932, @jibi)
* iptables: ensure all rules are installed consistently (Backport PR #19914, Upstream PR #19693, @jibi)
* iptables: fix typo in addProxyRule condition (Backport PR #19914, Upstream PR #20109, @jibi)
* nodediscovery: ensure we cache the nodeResource correctly to avoid null pointer dereferencing (Backport PR #20330, Upstream PR #20158, @odinuge)
* nodediscovery: make LocalNode return a deep copy of localNode (Backport PR #20127, Upstream PR #20392, @jibi)
**CI Changes:**
* ci: provide CI images with unstripped binaries (Backport PR #20330, Upstream PR #20238, @tklauser)
* docs: Bump up Netlify Python version to 3.8 (Backport PR #20509, Upstream PR #20486, @michi-covalent)
* jenkinsfiles: fix docker manifest inspect commands in GKE pipeline (Backport PR #20330, Upstream PR #20325, @tklauser)
**Misc Changes:**
* [docs] Add training and support information to Getting Help (Backport PR #20330, Upstream PR #20194, @lizrice)
* Add a note about conflicting node CIDRs #20204 (Backport PR #20330, Upstream PR #20208, @wokalski)
* Add ESP to firewall requirements in documentation for IPSec enabled C… (Backport PR #20330, Upstream PR #20314, @Kikiodazie)
* Add Peer Service to Cilium DS Port List (Backport PR #20509, Upstream PR #20296, @nathanjsweet)
* build(deps): bump actions/cache from 3.0.4 to 3.0.5 (#20496, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#20464, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#20200, @dependabot[bot])
* ctmap: Do not use nil locks (Backport PR #20509, Upstream PR #20388, @jrajahalme)
* datapath: Always use of wait argument on iptables commands. (Backport PR #19914, Upstream PR #17593, @jrajahalme)
* docs(policy): add notes on DNS/L7 policies & Cilium agent availability (Backport PR #20330, Upstream PR #20289, @raphink)
* docs: Document clustermesh datapath configuration for non-tunneled modes (Backport PR #20509, Upstream PR #16499, @jrajahalme)
* docs: Improve policy troubleshooting guide (Backport PR #20509, Upstream PR #20399, @joestringer)
**Other Changes:**
* install: Update image digests for v1.10.12 (#20222, @joestringer)
* update k8s versions to the latest releases (#20514, @aanm)
* v1.10: update cilium-{runtime,builder} (#20541, @joestringer)
## v1.10.12
Summary of Changes
------------------
**Minor Changes:**
* Add concurrency limiting for DNS message processing (Backport PR #19859, Upstream PR #19592, @nebril)
* Add counter to track all datapath timeouts due to FQDN IP updates (Backport PR #20015, Upstream PR #19809, @ungureanuvladvictor)
* Add type label to the identity metric (Backport PR #20100, Upstream PR #19999, @ungureanuvladvictor)
* Bugtool: Add additional Linux traffic-control (tc) data to cilium-bugtool output. (Backport PR #20015, Upstream PR #19856, @tommyp1ckles)
* Change default agent health check port to avoid conflicts (Backport PR #19859, Upstream PR #19830, @tklauser)
* envoy: Bump cilium envoy to latest version v1.21.3 (Backport PR #20147, Upstream PR #20142, @sayboras)
* ui: v0.9.0 images and drop envoy proxy container (Backport PR #20110, Upstream PR #19565, @geakstr)
**Bugfixes:**
* Also take secondary CIDRs into account when checking for validity of IPv4NativeRoutingCIDR (Backport PR #20028, Upstream PR #18653, @codablock)
* cli: Update regex for key value validation (Backport PR #19859, Upstream PR #19794, @sayboras)
* clustermesh: Add ownerReferences for CiliumNodes (Backport PR #20100, Upstream PR #19959, @sayboras)
* cmd: Allow more complicated patterns in map string type. (Backport PR #20015, Upstream PR #19955, @sayboras)
* Fix memory leak in the DNS cache when a long-lived endpoint makes many unique DNS lookups over time (Backport PR #20100, Upstream PR #19925, @christarazi)
* Fix race condition leading to inconsistent CiliumNode that can cause the agent to fatal. (Backport PR #20110, Upstream PR #19923, @pchaigno)
* Improve endpoint and DNS proxy lock contention during bursty DNS traffic (Backport PR #20100, Upstream PR #19347, @christarazi)
* ipsec: Fix off-by-one error on max keyID (Backport PR #20015, Upstream PR #16647, @pchaigno)
**CI Changes:**
* .github/workflows: bump kind workflow to cilium-cli v0.10.5 (#19896, @tklauser)
* jenkins: switch to ad-hoc GKE cluster creation/deletion (Backport PR #19859, Upstream PR #19918, @nbusseneau)
* v1.10: .github/workflows: bump kind workflow to cilium-cli v0.10.6 (#19934, @tklauser)
**Misc Changes:**
* api: change "group not found" log to debug (Backport PR #20015, Upstream PR #19927, @tklauser)
* bug: Fix Hubble Peer Service Helm File Location (#19912, @nathanjsweet)
* bugtool: Add structured node and health output (Backport PR #20100, Upstream PR #20011, @gandro)
* build(deps): bump actions/cache from 3.0.2 to 3.0.3 (#20022, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.3 to 3.0.4 (#20101, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (#19802, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#19973, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#19901, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#19781, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.2 to 1.5.3 (#19867, @dependabot[bot])
* daemon, fqdn: Add flag to control FQDN regex LRU size (Backport PR #20100, Upstream PR #19383, @christarazi)
* Do not disable peer service when hubble.listenAddress is empty (Backport PR #20015, Upstream PR #19886, @chancez)
* docs: Add docs-builder build as dependency to live preview (Backport PR #20015, Upstream PR #19885, @qmonnet)
* docs: Document operator.unmanagedPodWatcher (Backport PR #19845, Upstream PR #19820, @joestringer)
* docs: Fix incorrect command in IPsec GSG (Backport PR #19859, Upstream PR #19767, @pchaigno)
* docs: Fix incorrect FQDN flag (Backport PR #20015, Upstream PR #19930, @pchaigno)
* docs: Fix max SPI value for IPsec key rotations (Backport PR #20015, Upstream PR #19893, @pchaigno)
* docs: Remove '\r' chars from grep result to parse Alpine image name (Backport PR #20015, Upstream PR #19888, @qmonnet)
* Expose metrics for active FQDN connections per endpoint (Backport PR #20100, Upstream PR #19857, @christarazi)
* helm: don't generate the hubble-peer svc during preflight checks (Backport PR #19859, Upstream PR #19759, @kaworu)
* helm: use port 80/443 by default for the peer service (Backport PR #20100, Upstream PR #19933, @rolinh)
* Improve Cilium DNS Proxy-related error metrics (Backport PR #19859, Upstream PR #19702, @christarazi)
* k8s: Update libraries to v1.21.11 (#19246, @nathanjsweet)
* metrics: Fix NaN value for cilium metrics list CLI (Backport PR #20100, Upstream PR #19987, @sayboras)
* pkg/labels: Optimize SortedList() and FormatForKVStore() (Backport PR #20100, Upstream PR #19423, @christarazi)
* pkg/policy/api: Optimize FQDNSelector String() (Backport PR #20100, Upstream PR #19570, @christarazi)
**Other Changes:**
* install: Update image digests for v1.10.11 (#19839, @joestringer)
* v1.10: tests-l4lb: Use Helm chart from local branch (#20004, @jibi)
* workflow: l4lb: pass correct path for PR checkout (#20008, @jibi)
## v1.10.11
Summary of Changes
------------------
**Minor Changes:**
* hubble/relay: Make the Hubble Peer service available by making it a Kubernetes service to eliminate the need to share a local Unix domain socket between a privileged pod (cilium daemon) and an unprivileged one (hubble-relay). (Backport PR #19744, Upstream PR #18620, @nathanjsweet)
* metrics: Add go_* metrics (Backport PR #19637, Upstream PR #19153, @chancez)
**Bugfixes:**
* Fixed Cilium agent regression causing a crash due to ipcache controller being scheduled too soon. (Backport PR #19574, Upstream PR #19501, @jrajahalme)
* Improve garbage collection for resources allocated by ToFQDNs policy for services which rotate IP addresses frequently such as Amazon S3 (Backport PR #19584, Upstream PR #19452, @joestringer)
* operator: Add cilium node garbage collector (Backport PR #19744, Upstream PR #19576, @sayboras)
**CI Changes:**
* jenkinsfiles: Increase VM boot timeout (Backport PR #19482, Upstream PR #19458, @pchaigno)
**Misc Changes:**
* build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#19537, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19726, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.1 to 2 (#19721, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#19617, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19724, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19723, @dependabot[bot])
* docs: fix version warning URL to point to docs.cilium.io (Backport PR #19584, Upstream PR #19563, @aanm)
* docs: improve description for session affinity with KPR (Backport PR #19482, Upstream PR #19478, @julianwiedmann)
* docs: set the right url for API version check (Backport PR #19672, Upstream PR #19610, @aanm)
* docs: Update max MTU value for Nodeport XDP on AWS (Backport PR #19672, Upstream PR #19593, @qmonnet)
* identity: Initialize local identity allocator early (Backport PR #19574, Upstream PR #19556, @jrajahalme)
* images/cilium: remove cilium group from Dockerfile (Backport PR #19744, Upstream PR #19711, @aanm)
* LRP minor improvements (Backport PR #19482, Upstream PR #19489, @aditighag)
* make: check that Go major/minor version matches required version (Backport PR #19584, Upstream PR #19528, @tklauser)
* pkg/bpf: add map name in error message for OpenParallel (Backport PR #19482, Upstream PR #19491, @aanm)
* pkg/k8s: use subresource "nodes/status" to update node annotations (Backport PR #19674, Upstream PR #19590, @aanm)
* test/upgrade: use the unreleased helm chart of stable branches (Backport PR #19744, Upstream PR #19710, @aanm)
* Trimmed down Cilium's Cluster Roles to only the necessary rules (Backport PR #19674, Upstream PR #19074, @aanm)
* v1.10: images/runtime: update CNI plugins to 1.1.1 (#19692, @tklauser)
**Other Changes:**
* install: Update image digests for v1.10.10 (#19475, @joestringer)
## v1.10.10
Summary of Changes
------------------
**Minor Changes:**
* Locally allocated identities are now restored during restart, helping avoid transient drops due to identity changes in policies. (Backport PR #19404, Upstream PR #19360, @jrajahalme)
**Bugfixes:**
* cmd: Fix issue where a ConfigMap value of `{}` was parsed as `map["{}":""]`. (Backport PR #19254, Upstream PR #19172, @gandro)
* Fix a bug where a backend pod can be selected by a local redirect policy deployed in a different namespace if the local redirect policy was deployed first. (Backport PR #19254, Upstream PR #19193, @aditighag)
* Fix bug that would cause some pod traffic to leave through the wrong interface if --aws-release-excess-ips is used and masquerading disabled. (Backport PR #19296, Upstream PR #19162, @pchaigno)
* Fix bug where FQDN policy calculation could trigger a deadlock in cilium-agent (Backport PR #19254, Upstream PR #19031, @joestringer)
* Fix bug where the Cilium DNS proxy slows down significantly (and even OOMs) due to lock contention from spawning many goroutines when handling bursty DNS traffic (Backport PR #19416, Upstream PR #19336, @nebril)
* Fixed node init in RKE (Backport PR #19416, Upstream PR #19286, @raphink)
* helm: Removed unnecessary Kubernetes RBAC permissions for cilium-agent (Backport PR #19254, Upstream PR #19053, @nathanjsweet)
* helm: Update Clustermesh-APIServer RBAC permissions for platforms (like Openshift) that have the OwnerReferencesPermissionEnforcement admission controller enabled. (Backport PR #19254, Upstream PR #19071, @nathanjsweet)
* hubble/recorder: Sanitize pcap filename (Backport PR #19254, Upstream PR #18612, @gandro)
* wireguard: Reject duplicate public keys (Backport PR #19416, Upstream PR #19344, @gandro)
**CI Changes:**
* jenkinsfiles: Update calls to Quay API (Backport PR #19254, Upstream PR #19229, @pchaigno)
* test: Wait until host EP is ready (=regenerated) (Backport PR #19331, Upstream PR #18859, @brb)
* Use docker manifest inspect to wait for images instead of using quay API (Backport PR #19331, Upstream PR #19307, @YutaroHayakawa)
* workflows: Update call to Quay API (Backport PR #19254, Upstream PR #19228, @pchaigno)
**Misc Changes:**
* Add a 'Limitations' section to 'External Workloads'. (Backport PR #19416, Upstream PR #19366, @bmcustodio)
* add context when return errors during datapath initialization (Backport PR #19254, Upstream PR #18011, @kerthcet)
* build(deps): bump actions/cache from 3.0.0 to 3.0.1 (#19272, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.1 to 3.0.2 (#19392, @dependabot[bot])
* build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#19446, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.1 to 1.5.2 (#19324, @dependabot[bot])
* ci: Pin down image for the documentation workflow (Backport PR #19416, Upstream PR #19356, @qmonnet)
* docs: Clarify use of the `eni.subnetTagsFilter` option (Backport PR #19331, Upstream PR #19276, @gandro)
* envoy: Limit accesslog socket permissions (Backport PR #19416, Upstream PR #19190, @jrajahalme)
* ipcache: Add test asserting out-of-order Kubernetes events (Backport PR #19331, Upstream PR #19258, @christarazi)
* Test runtime cilium in container (take two) (Backport PR #19404, Upstream PR #19310, @jrajahalme)
* test: Fix whitespace in docker-run-cilium (Backport PR #19404, Upstream PR #19358, @jrajahalme)
* vendor: pull in the latest changes from github.com/vishvananda/netlink (Backport PR #19404, Upstream PR #18618, @aditighag)
* wireguard: Fix invalid bits when agent init (Backport PR #19254, Upstream PR #19118, @Junnplus)
**Other Changes:**
* install: Update image digests for v1.10.9 (#19239, @aanm)
## v1.10.9
Summary of Changes
------------------
**Important Bugfixes**
* Prevent unmanaged pods in GKE's containerd flavors. (Backport PR #18835, Upstream PR #18486, @bmcustodio)
*Important:* Users should update their node taints from `node.cilium.io/agent-not-ready=true:NoSchedule` to `node.cilium.io/agent-not-ready=true:NoExecute`.
*Important:* During the first node reboot after the fix is applied pods may still get IPs from the default CNI as cilium-node-init is only run later in the node startup process. The fix will then be in place for all subsequent reboots.
* Clarify taint effects in the documentation. (Backport PR #19236, Upstream PR #19186, @bmcustodio)
**Minor Changes:**
* Adds support to connect Clustermesh clusters through Helm Chart. (Backport PR #18918, Upstream PR #17851, @samueltorres)
* docs: update Azure Service Principal / IPAM documentation (Backport PR #19023, Upstream PR #18891, @nbusseneau)
**Bugfixes:**
* Fix 'node-init' in GKE's 'cos' images. (Backport PR #19062, Upstream PR #19017, @bmcustodio)
* Fix concurrency issue while waiting for node-init DaemonSet to be ready (Backport PR #19062, Upstream PR #18897, @aanm)
* Fix connectivity outage periods with ENI IPAM mode and IPsec enabled when nodes are deleted from the cluster (Backport PR #19023, Upstream PR #18827, @christarazi)
* Fix IPsec in Azure's IPAM mode (Backport PR #19023, Upstream PR #18911, @pchaigno)
* Fix issue where StatefulSet pod restarts could trigger persistent connectivity issues for the pods due to overzealous CiliumEndpoint resource removal by cilium-agent instances (Backport PR #19127, Upstream PR #18864, @timoreimann)
* hubble: Added nil check in filterByTCPFlags() to avoid segfault (Backport PR #19023, Upstream PR #18877, @wazir-ahmed)
* ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent (Backport PR #19062, Upstream PR #17856, @gandro)
**CI Changes:**
* Fix EncryptStatusSuite.TestCountUniqueIPsecKeys (Backport PR #19023, Upstream PR #18506, @tklauser)
* jenkinsfiles: bump runtime tests VM boot timeout (Backport PR #19023, Upstream PR #18886, @nbusseneau)
**Misc Changes:**
* Alibabacloud fixes (Backport PR #18835, Upstream PR #18762, @jaffcheng)
* bpf: avoid encrypt_key map lookup if IPsec is disabled (Backport PR #19062, Upstream PR #17840, @tklauser)
* build(deps): bump actions/cache from 2.1.7 to 3 (#19210, @dependabot[bot])
* build(deps): bump actions/checkout from 2.4.0 to 3 (#18993, @dependabot[bot])
* build(deps): bump actions/download-artifact from 2.1.0 to 3 (#19012, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.2.0 to 3 (#18964, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.3.1 to 3 (#19028, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 (#19147, @dependabot[bot])
* build(deps): bump docker/login-action from 1.13.0 to 1.14.0 (#18968, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.0 to 1.14.1 (#18994, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3 (#18949, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#18967, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.0 to 1.5.1 (#18950, @dependabot[bot])
* docs: fix tip about opening the Hubble server port on all nodes (Backport PR #19062, Upstream PR #19036, @rolinh)
* docs: Remove trailing step in AWS helm install (Backport PR #19023, Upstream PR #18893, @joestringer)
* helm: Enable offline deployments for OpenShift clusters (Backport PR #18918, Upstream PR #18849, @nathanjsweet)
* pkg/maps: Fix data races around accessing nat maps (Backport PR #19023, Upstream PR #18952, @aditighag)
* v1.10: Update Go to 1.16.15 (#19060, @tklauser)
**Other Changes:**
* install: Update image digests for v1.10.8 (#18926, @joestringer)
* v1.10: Update Cilium runtime dependencies (#19178, @joestringer)
## v1.10.8
Summary of Changes
------------------
**Minor Changes:**
* helm: Add values for custom service monitor annotations (Backport PR #18782, Upstream PR #18681, @michi-covalent)
* metrics: Expose xfrm stats in prometheus metrics (Backport PR #18668, Upstream PR #18553, @sayboras)
**Bugfixes:**
* Cilium host proxy is updated to Envoy release 1.21.1 (Backport PR #18890, Upstream PR #18899, @jrajahalme)
* clustermesh-apiserver: fix cmd-line args processing (Backport PR #18724, Upstream PR #18277, @abocim)
* cmd: Fix issue reading string map type via config map (Backport PR #18724, Upstream PR #18478, @sayboras)
* datapath: Only unload obsolete XDP when attached (Backport PR #18668, Upstream PR #18636, @jaffcheng)
* Fix a bug with local redirect policies selecting host networked pods as local endpoints not taking effect. (Backport PR #18724, Upstream PR #18563, @aditighag)
* Fix bug where Cilium drops traffic from remote nodes in etcd mode, despite policy that allows the traffic (Backport PR #18801, Upstream PR #18777, @joestringer)
* labelfilter: Refine default label regexps (Backport PR #18724, Upstream PR #18693, @twpayne)
**CI Changes:**
* ci: fix QEMU image build following Google Cloud SDK updates (Backport PR #18782, Upstream PR #18720, @nbusseneau)
* ci: remove box download timeout in upstream tests (Backport PR #18724, Upstream PR #18707, @nbusseneau)
* Enable CI for feature branches (Backport PR #18617, Upstream PR #18554, @jibi)
* test/runtime: fix flake on non-ready endpoints (Backport PR #18668, Upstream PR #18627, @tklauser)
* test: Fix pod cleanup after various tests (Backport PR #18668, Upstream PR #18448, @joestringer)
**Misc Changes:**
* build(deps): bump actions/setup-go from 2.1.5 to 2.2.0 (#18754, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#18689, @dependabot[bot])
* build(deps): bump docker/login-action from 1.12.0 to 1.13.0 (#18837, @dependabot[bot])
* Cilium host proxy is updated to Envoy release 1.21.0 (Backport PR #18890, Upstream PR #18748, @jrajahalme)
* contrib: Fix backport submission for own PRs (Backport PR #18668, Upstream PR #17988, @joestringer)
* doc: getting started minor fixes (Backport PR #18668, Upstream PR #18024, @kaworu)
* docs: add Hands-on tutorial (Backport PR #18724, Upstream PR #18583, @vannyle)
* docs: disable k3s network policy enforcement (Backport PR #18724, Upstream PR #18671, @tklauser)
* docs: export KUBECONFIG for cilium-cli with k3s (Backport PR #18724, Upstream PR #18697, @tklauser)
* docs: Update clustermesh example verification steps (Backport PR #18782, Upstream PR #18764, @sayboras)
* update k8s library versions (#18588, @aanm)
* v1.10: Update Go to 1.16.14 (#18798, @tklauser)
**Other Changes:**
* install: Update image digests for v1.10.7 (#18537, @joestringer)
* v1.10: Update Cilium base images (#18875, @joestringer)
## v1.10.7
Summary of Changes
------------------
**Bugfixes:**
* bpf: egressgw: sync logic to determine if destination is outside cluster (Backport PR #18379, Upstream PR #18246, @jibi)
* daemon: Fix multi-dev XDP check (Backport PR #18365, Upstream PR #18305, @brb)
* egressgateway: fix initial reconciliation (Backport PR #18461, Upstream PR #18325, @jibi)
* Fix an issue where the tunnel map sync controller causes errors even though tunneling is disabled. (Backport PR #18276, Upstream PR #18247, @tklauser)
* Fix crash on startup if proxy is disabled (Backport PR #18276, Upstream PR #18198, @chaosbox)
* Fix possible IP leak in case ENI's are not present in the CN yet (Backport PR #18487, Upstream PR #18352, @codablock)
* Fix TCP connectivity issues in the DSR mode when conntrack entries with missing DSR flag are reused. (Backport PR #18276, Upstream PR #18041, @Inode1)
* hubble: Fix misclassification of `to-network` reply packets (Backport PR #18276, Upstream PR #18196, @gandro)
**CI Changes:**
* ci: use python3 instead of python (Backport PR #18445, Upstream PR #18443, @nebril)
* github: Misc improvements for the L4LB test suite (Backport PR #18233, Upstream PR #17005, @brb)
* test: Add Error Log Exceptions (Backport PR #18233, Upstream PR #18117, @nathanjsweet)
* test: bump l4lb Vagrantfile kind to 0.11.1 (Backport PR #18487, Upstream PR #18370, @jibi)
* v1.10 ci: set PR base for codeql workflow (#18369, @tklauser)
**Misc Changes:**
* bpf: Reset Pod's queue mapping in host veth to fix phys dev mq selection (Backport PR #18487, Upstream PR #18388, @borkmann)
* build(deps): bump 8398a7/action-slack from 3.12.0 to 3.13.0 (#18425, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.1.4 to 2.1.5 (#18321, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.3.0 to 2.3.1 (#18265, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#18519, @dependabot[bot])
* build(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#18309, @dependabot[bot])
* Changed the documentation for Kubespray installation to recommend using `-e` flag for `cilium_version` variable instead of editing the role variables. (Backport PR #18445, Upstream PR #18342, @necatican)
* docs: Fix `first-interface-index` documentation (Backport PR #18445, Upstream PR #18327, @gandro)
* docs: Fix incorrect mention of `bpf.masquerade`'s default value (Backport PR #18445, Upstream PR #18420, @pchaigno)
* docs: Replace 'micro version' with 'patch version' (Backport PR #18445, Upstream PR #18279, @pchaigno)
* docs: Replace janitors team with tophat team (Backport PR #18445, Upstream PR #18430, @pchaigno)
* docs: Warn against Helm's `--reuse-values` in Cilium upgrades (Backport PR #18276, Upstream PR #18259, @gandro)
* Revert "test: Add Error Log Exceptions" (#18457, @nbusseneau)
* v1.10: Update Go to 1.16.12 (#18228, @tklauser)
* v1.10: Update Go to 1.16.13 (#18415, @tklauser)
**Other Changes:**
* .github: stop pushing last stable image from v1.10 branches (#18272, @joestringer)
* install: add mountPropagation directive to bpf-maps volume in cilium DS (#18438, @jibi)
* install: Update image digests for v1.10.6 (#18235, @joestringer)
* v1.10: CODEOWNERS: janitors renamed to tophat (#18362, @pchaigno)
## v1.10.6
Summary of Changes
------------------
**Minor Changes:**
* datapath,daemon: Enable multi-dev XDP (Backport PR #18066, Upstream PR #17655, @brb)
* helm: Disable BPF masquerading in v1.10+ (Backport PR #17985, Upstream PR #17824, @pchaigno)
* Reduce bugtool memory usage (Backport PR #17861, Upstream PR #17546, @tklauser)
* service: Always allocate higher ID for svc/backend (Backport PR #18146, Upstream PR #18113, @brb)
**Bugfixes:**
* Adds an `ACCEPT` rule for untracked pkts in `filter:CILIUM_OUTPUT` (Backport PR #17861, Upstream PR #17585, @Weil0ng)
* bpf: exclude pod's reply traffic from egress gateway logic (Backport PR #17985, Upstream PR #17869, @jibi)
* bug/pkg/health: Fix Nil Address Issue in Node Update Mechanism (Backport PR #17861, Upstream PR #17667, @nathanjsweet)
* bugtool: fix data race occurring when running commands (Backport PR #17985, Upstream PR #17916, @rolinh)
* bugtool: fix IP route debug gathering commands (Backport PR #18066, Upstream PR #18059, @tklauser)
* daemon, node: Remove old, discarded router IPs from `cilium_host` (Backport PR #18088, Upstream PR #17762, @christarazi)
* Define operator feature flags to allow the operator to register related CRDs. (Backport PR #17861, Upstream PR #17772, @pchaigno)
* egressgateway: Allow several CENPs with same egress IP (Backport PR #17861, Upstream PR #17773, @pchaigno)
* egressgateway: fix manager logic (Backport PR #18082, Upstream PR #17813, @jibi)
* Fix bug where the agents would silently skip all IPv6 masquerading due to an incorrect configuration. (Backport PR #17985, Upstream PR #17906, @pchaigno)
* Fix identity leak via FQDN selectors (Backport PR #17861, #17987, #18189, Upstream PRs #17699, #17788, #18166, @joestringer)
* Fix incorrect application of egress gateway policy to internal cluster traffic. Require a 5.2 kernel or later for the egress gateway policy feature. (Backport PR #17861, Upstream PR #17639, @kkourt)
* Fix issue where local host IPs may be briefly associated with the remote-node identity, causing policy drops when policy should allow traffic from the host. (Backport PR #17861, Upstream PR #17836, @joestringer)
* Fix several complexity and program size issues when only one of IPv4/IPv6 is enabled. (Backport PR #17652, Upstream PR #17573, @pchaigno)
* Fixes an issue which can cause traffic to be dropped when running Cilium in ENI mode due to the presence of iptables rules left over by the AWS VPC CNI plugin. Notable features that could be impacted include the egress gateway functionality. (Backport PR #17985, Upstream PR #17845, @bmcustodio)
* Fixes for IPsec and endpoint routes (Backport PR #17985, Upstream PR #17865, @kkourt)
* node-init: cleanup snat iptables rules when running in eni mode with masquerading disabled (Backport PR #17861, Upstream PR #16840, @bmcustodio)
* node: Skip ipcache for remote node IPs if IPsec is enabled (Backport PR #17652, Upstream PR #17511, @pchaigno)
**CI Changes:**
* .github: Fix codeQL workflow skip logic (Backport PR #17625, Upstream PR #17587, @joestringer)
* aks: fix AKS cluster creation following new taint limitations (Backport PR #17625, Upstream PR #17529, @nbusseneau)
* bpf/Makefile: Enable setting complexity options (Backport PR #17625, Upstream PR #17364, @pchaigno)
* bpf: Add WireGuard to complexity and compile tests (Backport PR #18146, Upstream PR #18048, @pchaigno)
* ci: Restart pods when toggling KPR switch (Backport PR #18146, Upstream PR #18031, @brb)
* k8sT/Egress: fixes (Backport PR #17625, Upstream PR #17581, @kkourt)
* mlh: switch runtime from kernel 4.9 to net-next (#18096, @nbusseneau)
* test/contrib: Bump CoreDNS version to 1.8.3 (Backport PR #18146, Upstream PR #18018, @brb)
* test/K8sVerifier: Cover several datapath configurations (Backport PR #17652, Upstream PR #17470, @pchaigno)
* test: Do not require netpols in 'waitNextPolicyRevisions()' (Backport PR #17861, Upstream PR #17769, @jrajahalme)
* test: Extend coredns clusterrole with additional resource permissions (Backport PR #18146, Upstream PR #18104, @aditighag)
* test: Fix incorrect selector for netperf-service (Backport PR #18146, Upstream PR #18006, @christarazi)
* test: use stable zookeeper image (Backport PR #18210, Upstream PR #18186, @tklauser)
* workflows: Fix use of paths-filter on master pushes (Backport PR #17652, Upstream PR #16507, @pchaigno)
* workflows: Run CodeQL workflow is the workflow is edited (Backport PR #18189, Upstream PR #17982, @pchaigno)
**Misc Changes:**
* .github: Increase reporting threshold for new flakes (Backport PR #17861, Upstream PR #17812, @pchaigno)
* .github: Rename `project/ci-force` to `ci/flake` (Backport PR #17861, Upstream PR #17344, @pchaigno)
* Adds a warning in the upgrade doc about split cluster (Backport PR #17861, Upstream PR #17755, @Weil0ng)
* Allow to add custom labels to ServiceMonitors cilium-agent, cilium-operator, hubble in the Cilium Helm chart. (Backport PR #17746, Upstream PR #17509, @canhnt)
* bpf: Refactoring egress gateway datapath (Backport PR #17985, Upstream PR #17868, @pchaigno)
* build(deps): bump 8398a7/action-slack from 3.10.0 to 3.11.0 (#17888, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.11.0 to 3.12.0 (#17964, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.6 to 2.1.7 (#17970, @dependabot[bot])
* build(deps): bump actions/checkout from 2.3.4 to 2.3.5 (#17634, @dependabot[bot])
* build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (#17784, @dependabot[bot])
* build(deps): bump actions/download-artifact from 2.0.10 to 2.1.0 (#18160, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.2.4 to 2.3.0 (#18162, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.0 (#17749, @dependabot[bot])
* contrib/backporting: Dockerize backporting scripts (Backport PR #17652, Upstream PR #17157, @aditighag)
* daemon: add K8sCacheIsSynced() method (Backport PR #17861, Upstream PR #17651, @jibi)
* daemons: name init functions and have one `init` (Backport PR #17727, Upstream PR #17616, @nebril)
* docs: add registry (quay.io/) for pre-loading images for kind (Backport PR #18066, Upstream PR #18017, @adamzhoul)
* docs: fix a block directive in OpenShift GSG (Backport PR #17861, Upstream PR #17760, @qmonnet)
* docs: fix eksctl ClusterConfig to allow copy (Backport PR #18146, Upstream PR #18110, @aanm)
* docs: Fix helm value when deploying pure ipvlan l3 mode (Backport PR #17727, Upstream PR #17708, @chendotjs)
* docs: fix link to signoff / certificate of origin section (Backport PR #18146, Upstream PR #18123, @timoreimann)
* docs: KUBECONFIG for cilium-cli with k3s (Backport PR #18146, Upstream PR #18068, @kkourt)
* docs: Mention about KubeVirt in KPR docs (Backport PR #17861, Upstream PR #17847, @brb)
* docs: Reword sentence on WireGuard limitation (Backport PR #17861, Upstream PR #17822, @pchaigno)
* docs: Update the minimum required Minikube version (Backport PR #18189, Upstream PR #18155, @pchaigno)
* docs: Use cilium sysdump instead of python sysdump (Backport PR #17727, Upstream PR #17402, @michi-covalent)
* docs: Use git+https in requirements.txt (Backport PR #17861, Upstream PR #17756, @michi-covalent)
* Fix documented EC2 IAM action (Backport PR #18066, Upstream PR #17958, @austince)
* install/kubernetes/cilium: reference stable docs for eBPF maps (Backport PR #17861, Upstream PR #17757, @tklauser)
* install: Update image digests for v1.10.5 (#17608, @joestringer)
* Minor egress gateway fixups (Backport PR #17861, Upstream PR #17663, @pchaigno)
* monitor: Initialize agent in deamon early (Backport PR #17727, Upstream PR #17407, @gandro)
* pkg: rename egresspolicy package to egressgateway (Backport PR #17727, Upstream PR #17630, @jibi)
* test: Disable unreliable K8sBookInfoDemoTest test (Backport PR #17985, Upstream PR #17550, @twpayne)
* ui: v0.8.5 (Backport PR #18210, Upstream PR #18203, @geakstr)
* v1.10: Update Go to 1.16.10 (#17793, @tklauser)
* v1.10: Update Go to 1.16.11 (#18130, @tklauser)
* verifier-test.sh: allow for empty FOO_PROGS (Backport PR #17625, Upstream PR #17408, @kkourt)
## v1.10.5
Summary of Changes
------------------
**Minor Changes:**
* daemon: Make L2 neighbor discovery configurable. (Backport PR #17531, Upstream PR #16974, @bjhaid)
* datapath: Add a new option to skip socket lb when in pod ns (Backport PR #17531, Upstream PR #17154, @brb)
**Bugfixes:**
* Cilium Istio integration is updated to Istio release 1.10.4 (Backport PR #17392, Upstream PR #17275, @jrajahalme)
* datapath: Do not SNAT replies to outside (Backport PR #17392, Upstream PR #17168, @brb)
* egress gateway: fix non-tunnel (direct routing) mode (Backport PR #17582, Upstream PR #17517, @kkourt)
* Fix bug where IP addresses of devices in unknown state are resolved as remote-node (Backport PR #17495, Upstream PR #17418, @jibi)
* Fix memory leak that can occur with the presence of FQDN policies (Backport PR #17495, Upstream PR #17432, @aanm)
* helm: upgrade envoy to v1.18.4 for hubble-ui (Backport PR #17495, Upstream PR #17439, @geakstr)
* hubble: Display proxy redirects in policy verdict events (Backport PR #17495, Upstream PR #17411, @pchaigno)
* node: Fix race condition on labels' getter/setter (Backport PR #17313, Upstream PR #17217, @pchaigno)
* Optimize memory consumption for clusters with high number of repeated FQDN matchPattern or matchNames (Backport PR #17313, Upstream PR #17224, @aanm)
* pkg/identity: Add missing labels to well-known identities (Backport PR #17495, Upstream PR #16585, @mauriciovasquezbernal)
* Remove CiliumNode deletion logic from CiliumNode watcher and guarantee CiliumNode's OwnerReference is always set (Backport PR #17495, Upstream PR #17329, @christarazi)
* Set right User Agent in Kubernetes client for all Cilium components. (Backport PR #17495, Upstream PR #17417, @aanm)
**CI Changes:**
* [v1.10] fix MLH config trigger (#17423, @nbusseneau)
* ci: update cilium-cli to 0.9.1 (Backport PR #17392, Upstream PR #17464, @nebril)
* test/runtime: Look into log errors after test start (Backport PR #17392, Upstream PR #17351, @joamaki)
* test: bump coredns version to 1.7.0 (Backport PR #17531, Upstream PR #17489, @aanm)
* test: Skip Istio test on k8s <1.17 (Backport PR #17392, Upstream PR #17445, @jrajahalme)
* workflows: pin `cilium-cli` version to v0.8.6 (Backport PR #17392, Upstream PR #17143, @nbusseneau)
**Misc Changes:**
* Add neighbor discovery behavior docs to kubeproxy-free. (Backport PR #17531, Upstream PR #17469, @bjhaid)
* bpf: Add extension for running sock LB on MKE-related containers (Backport PR #17559, Upstream PR #17513, @borkmann)
* bugtool: Include listing of egress gateway map (Backport PR #17495, Upstream PR #17378, @pchaigno)
* build(deps): bump 8398a7/action-slack from 3.9.2 to 3.9.3 (#17379, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.9.3 to 3.10.0 (#17449, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.5.1 to 1.6.0 (#17325, @dependabot[bot])
* contrib/backporting: add environment variables to set ORG and REPO (Backport PR #17495, Upstream PR #17424, @aanm)
* daemon, ipam, option: Introduce ability to bypass IP availability error (Backport PR #17531, Upstream PR #17492, @christarazi)
* daemon: Add --derive-masquerade-ip-addr-from-device opt (Backport PR #17495, Upstream PR #17230, @brb)
* datapath/linux: enable neighbor discovery in unit tests (Backport PR #17557, Upstream PR #17044, @aanm)
* docs: Clarify exact requirements for the egress gateway (Backport PR #17392, Upstream PR #17381, @pchaigno)
* docs: clarify language on libceph and kernel 5.8 in kubeproxy-free GSG (Backport PR #17531, Upstream PR #16969, @bluikko)
* docs: Fix command for overwriting iptables on kube-proxy replacement install (Backport PR #17495, Upstream PR #16264, @Stijn98s)
* docs: Fix up broken minikube link (Backport PR #17495, Upstream PR #17382, @joestringer)
* docs: Fix version sorting for CRD schema docs (Backport PR #17495, Upstream PR #17288, @joestringer)
* ethtool: use ioctl wrapper from golang.org/x/sys/unix (Backport PR #17392, Upstream PR #17153, @tklauser)
* fix(docs): bandwidth-manager install error (Backport PR #17392, Upstream PR #17338, @withlin)
* fqdn: add fqdn proxy interface (Backport PR #17582, Upstream PR #17318, @nebril)
* helm: Expose l2 neigh discovery related agent flags (Backport PR #17557, Upstream PR #17526, @brb)
* helm: set correct versions of docker images in Makefile (Backport PR #17495, Upstream PR #17477, @aanm)
* jenkinsfiles: Don't display nulls in current build display name (Backport PR #17392, Upstream PR #17258, @twpayne)
* operator: Improve identity GC efficiency (Backport PR #17495, Upstream PR #17359, @christarazi)
* proxy: Expose cachedSelectorREEntry type (Backport PR #17531, Upstream PR #17341, @nebril)
* Update Go to 1.16.9 (#17566, @tklauser)
* v1.10: Update Go to 1.16.8 (#17361, @tklauser)
* vendor: update mongo-driver to 1.5.1 to fix CVE-2021-20329 (Backport PR #17313, Upstream PR #17234, @aanm)
**Other Changes:**
* install: Update image digests for v1.10.4 (#17298, @joestringer)
* Populates backend map from V2 backend map (#17308, @Weil0ng)
## v1.10.4
Summary of Changes
------------------
**Minor Changes:**
* Auto-mount bpf file-system from within Cilium DaemonSet and remove the requirement of having it mounted in the host. (Backport PR #17119, Upstream PR #16656, @aanm)
* Cilium Envoy integration is updated to release 1.18.4. (#17200, @jrajahalme)
**Bugfixes:**
* Add '*.mesh.cilium.io' to the list of SANs for the server certificate of 'clustermesh-apiserver'. (Backport PR #17119, Upstream PR #17027, @bmcustodio)
* change log level for `lock failed: endpoint is in the process of being removed` (Backport PR #16960, Upstream PR #16773, @humancalico)
* datapath: panic explicitly when IP of direct-routing-device not found (Backport PR #17183, Upstream PR #17064, @ArthurChiao)
* Fix a crash where user specifies incorrect service name in a local redirect policy config, or policy selected service is added after the policy is added. (Backport PR #17183, Upstream PR #16216, @aditighag)
* Fix bug where timers used for retries sometimes fired immediately (Backport PR #17011, Upstream PR #16955, @gandro)
* Fix Linux slave interface detection (Backport PR #17216, Upstream PR #17189, @pchaigno)
* Fix transient policy deny during agent restart (Backport PR #17216, Upstream PR #17115, @jaffcheng)
* hubble/recorder: Refactor service implementation to fix multiple races (Backport PR #17011, Upstream PR #16472, @gandro)
* hubble: Never fail with ErrInvalidRead (Backport PR #17183, Upstream PR #17046, @michi-covalent)
* policy: Fix `cilium policy trace` output when only deny rules are applied (Backport PR #17119, Upstream PR #16991, @chez-shanpu)
* Remove `node.cilium.io/agent-not-ready` node taints if they are re-added after Cilium has started (Backport PR #17256, Upstream PR #17112, @aanm)
* routing: Fix incorrect interface selection for egress pod routes (Backport PR #17183, Upstream PR #17169, @pchaigno)
**CI Changes:**
* .github/workflows: use latest stable cilium-cli release (Backport PR #16960, Upstream PR #16892, @tklauser)
* .github: harden permissions on GH workflows (Backport PR #16960, Upstream PR #16941, @aanm)
* .github: remove workflows triggered by comments (#16950, @aanm)
* hubble/relay: Fix close of closed channel in unit test (Backport PR #16993, Upstream PR #16958, @gandro)
* node-neigh: Wait instead of sleeping in unit tests (Backport PR #17119, Upstream PR #17035, @aanm)
* test: Fix artifact collection for bad log failures (Backport PR #16960, Upstream PR #16489, @pchaigno)
* test: Fix artifact collection for FQDN matchPattern test (Backport PR #16960, Upstream PR #16759, @pchaigno)
* test: Fix missing artifacts for tests with parentheses (Backport PR #16960, Upstream PR #16540, @pchaigno)
* test: Spring cleaning of K8sServicesTest (Backport PR #16630, Upstream PR #16470, @brb)
* workflows: use `!success()` for sysdump and Slack notifications (Backport PR #16960, Upstream PR #16899, @nbusseneau)
**Misc Changes:**
* .github: add MLH config for flake tracking (#17041, @aanm)
* Avoid transitive dependency on github.com/miekg/dns in policy API (Backport PR #16960, Upstream PR #16806, @tklauser)
* backporting: Suggest only one related commit for a backport (Backport PR #17011, Upstream PR #16907, @joestringer)
* bpf: Remove duplicate define from MAX_BASE_OPTIONS (Backport PR #16960, Upstream PR #16911, @christarazi)
* build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 (#16997, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#17250, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 (#17199, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16973, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 (#16982, @dependabot[bot])
* contrib: Improve release script guard rails (Backport PR #16993, Upstream PR #16936, @joestringer)
* docs: Clarify SA target in KPR gsg (Backport PR #17011, Upstream PR #16954, @brb)
* docs: fix code-block formatting for XDP load example (Backport PR #16960, Upstream PR #16876, @ClaudiaJKang)
* docs: Fix missing quote in gcloud command for GKE (Backport PR #17119, Upstream PR #17014, @christarazi)
* docs: improve the bandwidth manager page (Backport PR #16993, Upstream PR #16783, @bmcustodio)
* Improves the error logs during the bpf maps updating (Backport PR #16960, Upstream PR #16034, @elfadel)
* install: Fix README links to getting started guides (Backport PR #17119, Upstream PR #16947, @joestringer)
* Makefile: fix typo in helper message (Backport PR #17183, Upstream PR #17128, @aanm)
* Misc. GH workflow improvements and hardness (Backport PR #16960, Upstream PR #16908, @aanm)
* operator: misc. refactoring and code removal (Backport PR #17119, Upstream PR #16918, @aanm)
* proxylib/test: fix data race between StartAccessLogServer and Close (Backport PR #17216, Upstream PR #16298, @tklauser)
* proxylib: Fix data races in unit tests (Backport PR #17216, Upstream PR #17141, @gandro)
* Restrict Kubernetes access for hubble-relay (Backport PR #16993, Upstream PR #16937, @jonkerj)
* v1.10: Update cilium base images (#17266, @joestringer)
* v1.10: Update Go to 1.16.7 (#17124, @tklauser)
* vendor: Update k8s dependencies and tests to 1.21.3 (Backport PR #16993, Upstream PR #16608, @christarazi)
* version, metrics: allow to build on non-unix platforms (Backport PR #16960, Upstream PR #16679, @tklauser)
**Other Changes:**
* github: fix GH workflows to handle push events to stable branches (#16979, @aanm)
* install: Update image digests for v1.10.3 (#16901, @aanm)
## v1.10.3
Summary of Changes
------------------
**Major Changes:**
* Provide new installation steps to deploy Cilium in managed kubernetes providers (GKE, EKS, AKS) to allow scale up and down node pools. (Backport PR #16774, Upstream PR #16631, @aanm)
**Minor Changes:**
* daemon: Add option --bpf-lb-external-clusterip (Backport PR #16774, Upstream PR #15650, @joamaki)
**Bugfixes:**
* Envoy configuration with `--proxy-prometheus-port` is fixed. (Backport PR #16829, Upstream PR #16834, @jrajahalme)
* iptables: Remove leading zeroes (Backport PR #16829, Upstream PR #16817, @jrajahalme)
* Potential deadlock in pod identity updates has been fixed. (Backport PR #16829, Upstream PR #16801, @jrajahalme)
* Removes cilium daemonset's dependencies on utilities like `sh` and `mount` having installed in the underlying host distributions. (Backport PR #16824, Upstream PR #16815, @aditighag)
**CI Changes:**
* .github: do not useDigest in conformance tests (Backport PR #16837, Upstream PR #16836, @aanm)
* Bump cilium-cli to v0.8.4 (Backport PR #16829, Upstream PR #16799, @tklauser)
* ci/conformance: Various image-related fixes (Backport PR #16829, Upstream PR #16715, @gandro)
* conformance tests: Use hubble-relay-ci image (Backport PR #16829, Upstream PR #16363, @michi-covalent)
* Fix and add more commands in CI sysdumps (Backport PR #16774, Upstream PR #16721, @aanm)
* test/Bookinfo: Collect full artifact in case of failure (Backport PR #16829, Upstream PR #16775, @pchaigno)
* test: Delete DNS pods in AfterAll for datapath tests (Backport PR #16829, Upstream PR #16835, @joestringer)
* test: Delete Istio resources if install does not complete (Backport PR #16829, Upstream PR #16440, @jrajahalme)
* test: do not useDigest in upstream tests (Backport PR #16829, Upstream PR #16886, @aanm)
* test: Move instrumentation to AfterFailed instead of AfterAll (Backport PR #16829, Upstream PR #16845, @christarazi)
* test: Redeploy DNS after endpointRoutes reconfiguration (Backport PR #16829, Upstream PR #16767, @joestringer)
* test: Wait for kube-dns before starting test (Backport PR #16829, Upstream PR #16411, @jrajahalme)
* workflows: fix concurrency group names (Backport PR #16829, Upstream PR #16711, @nbusseneau)
* workflows: fix L4LB test missing PR reporting on issue_comment (Backport PR #16829, Upstream PR #16830, @nbusseneau)
* workflows: fix Relay pgrep check when using additional flags (Backport PR #16829, Upstream PR #16831, @nbusseneau)
* workflows: remove label filters for testing workflows (Backport PR #16829, Upstream PR #16735, @nbusseneau)
* workflows: various fixes & consistency passes (Backport PR #16829, Upstream PR #16787, @nbusseneau)
**Misc Changes:**
* [v1.10] install/kubernetes: re-add restartPods (#16858, @aanm)
* Docs: Fix maglev.hashSeed byte size documentation (Backport PR #16774, Upstream PR #16690, @gaffneyd4)
* Allow configuration of probe timers in Helm chart (Backport PR #16774, Upstream PR #16584, @jonkerj)
* bugtool: Collect BPF cgroup programs related information (Backport PR #16774, Upstream PR #16691, @aditighag)
* build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 (#16763, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 (#16856, @dependabot[bot])
* contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml (Backport PR #16774, Upstream PR #16750, @aanm)
* contrib: Explicitly set remote for backport branches (Backport PR #16829, Upstream PR #16804, @twpayne)
* docs(k3s): add back the flag to disable network policies (Backport PR #16829, Upstream PR #16755, @rio)
* docs: account for bandwidth manager now being disabled by default (Backport PR #16829, Upstream PR #16782, @bmcustodio)
* docs: Document dns visibility limitations (Backport PR #16829, Upstream PR #16822, @joestringer)
* docs: fix code-block for bpf mount example (Backport PR #16774, Upstream PR #16719, @aanm)
* github: Increase workflow timeout (Backport PR #16829, Upstream PR #16819, @jrajahalme)
* Improve logging when cgroupfs mount fails (Backport PR #16829, Upstream PR #15999, @johngv2)
* pkg/k8s: re-add CiliumIsUp Node condition even if removed (Backport PR #16829, Upstream PR #16857, @aanm)
* Revert "docs: add 'endpointRoutes.enabled=true' to aws-cni" (Backport PR #16774, Upstream PR #16756, @bmcustodio)
* Revert "policy: Make selectorcache callbacks lock-free" (Backport PR #16829, Upstream PR #16769, @aanm)
* v1.10: Update Go to 1.16.6 (#16878, @tklauser)
**Other Changes:**
* [v1.10] fix condition for running documentation GitHub action on Helm updates (#16747, @qmonnet)
* install: Update image digests for v1.10.2 (#16764, @aanm)
## v1.10.2
Summary of Changes
------------------
**Minor Changes:**
* Fixes connectivity issues when kube-proxy replacement is enabled, caused by
ineffective socket based load balancing (aka host reachable services) in the private
cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration). (Backport PR #16671, Upstream PR #16259, @aditighag)
**Bugfixes:**
* bpf: fix iptables masquerading for node -> remote pod traffic (Backport PR #16654, Upstream PR #16136, @jibi)
* bpf: fix hw_csum issue for icmp probe packets (Backport PR #16614, Upstream PR #16604, @borkmann)
* daemon, node: Fix faulty router IP restoration logic (Backport PR #16675, Upstream PR #16672, @christarazi)
* DNS proxy is now more available during Cilium restarts, including upgrades. (Backport PR #16686, Upstream PR #16391, @jrajahalme)
* External Workloads service access is enabled again. (Backport PR #16686, Upstream PR #16662, @jrajahalme)
* Fix issue where generating Hubble certs were broken (Backport PR #16614, Upstream PR #16509, @alex1989hu)
* ipsec: Fix logging of SPI after key rotations (Backport PR #16614, Upstream PR #16557, @pchaigno)
* lrp: Skip clusterIP service restore in service delete callback (Backport PR #16614, Upstream PR #16548, @aditighag)
* Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode (Backport PR #16697, Upstream PR #16696, @christarazi)
* Potential deadlock in pod identity updates has been fixed. (Backport PR #16614, Upstream PR #16529, @jrajahalme)
* pkg/option: Fix default assignment of EnableWellKnownIdentities (Backport PR #16614, Upstream PR #16434, @mauriciovasquezbernal)
**CI Changes:**
* ci: Disable NFS locking (Backport PR #16686, Upstream PR #16554, @gandro)
* cicd: skip codesql on forks (Backport PR #16686, Upstream PR #16560, @ldelossa)
* node-neigh: Fix concurrent arping update unit test flake (Backport PR #16614, Upstream PR #16578, @brb)
* Pick up cilium-cli v0.8.2 (Backport PR #16654, Upstream PR #16650, @michi-covalent)
* tests: rework custom calls's `AfterEach`/`AfterAll` blocks to skip if needed (Backport PR #16686, Upstream PR #16651, @qmonnet)
* vagrant: Bump all Vagrant box versions (Backport PR #16654, Upstream PR #16589, @pchaigno)
* workflows: Skip jobs instead of workflows (Backport PR #16562, Upstream PR #16487, @pchaigno)
**Misc Changes:**
* build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 (#16574, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 (#16586, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 (#16742, @dependabot[bot])
* build(deps): bump docker/login-action from 1.9.0 to 1.10.0 (#16641, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 (#16685, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 (#16709, @dependabot[bot])
* CODEOWNERS: Give maintainer's code to github-sec team (Backport PR #16562, Upstream PR #16426, @pchaigno)
* contrib: Identify upstream commits by author and date (Backport PR #16654, Upstream PR #16572, @pchaigno)
* docs: fix check-crd-compat-table script (Backport PR #16614, Upstream PR #16545, @aanm)
* docs: Fix typo in BGP GSG (Backport PR #16614, Upstream PR #16563, @christarazi)
* docs: Hubble UI does not show HTTP endpoints anymore (Backport PR #16562, Upstream PR #16535, @gandro)
* docs: run GitHub action when Charts are touched to check Helm values ref (Backport PR #16654, Upstream PR #16577, @qmonnet)
* images/script: update the example hubble cli Deployment version (Backport PR #16562, Upstream PR #16537, @kaworu)
* images: Remove trailing newlines before computing SHA256 (Backport PR #16654, Upstream PR #16621, @pchaigno)
* k8s: Fix logging (Backport PR #16614, Upstream PR #16530, @jrajahalme)
* Refactor logging package to split syslog functionality into separate file (Backport PR #16686, Upstream PR #16600, @tklauser)
* vendor: Update go.universe.tf/metallb (Backport PR #16614, Upstream PR #16523, @christarazi)
**Other Changes:**
* .github: Rename maintainer's little helper's config file (#16457, @pchaigno)
* docs: improve the helm chart documentation (#16653, @bmcustodio)
* docs: update the version specific notes table (#16729, @bmcustodio)
* install: Update image digests for v1.10.1 (#16546, @aanm)
## v1.10.1
Summary of Changes
------------------
**Minor Changes:**
* Add Helm option to disable registering CRD from Cilium Operator (Backport PR #16521, Upstream PR #15655, @Fedosin)
* docs: Revert host firewall to beta for kube-proxy setups (Backport PR #16269, Upstream PR #16149, @pchaigno)
* helm: add back 'wellKnownIdentities' (Backport PR #16269, Upstream PR #16142, @bmcustodio)
* helm: Disable the bandwidth manager by default (Backport PR #16438, Upstream PR #16380, @pchaigno)
* HTTP response access logs no longer contain the request headers, except for 'x-request-id',
which is still included for request/response correlation purposes. (Backport PR #16384, Upstream PR #16211, @jrajahalme)
* Remove deprecated --update-ec2-apdater-limit-via-api option (Backport PR #16438, Upstream PR #16374, @twpayne)
* Support non-default Azure clouds (Backport PR #16384, Upstream PR #16043, @ungureanuvladvictor)
* Update k8s libraries to 1.21.1 (#16250, @nathanjsweet)
**Bugfixes:**
* alibabacloud: fix race (Backport PR #16269, Upstream PR #16175, @l1b0k)
* daemon: Ignore cilium_* interfaces when deriving NodePort device (Backport PR #16269, Upstream PR #16104, @eyanulis)
* datapath: Use TUNNEL_MODE as indicator for tunnel mode (Backport PR #16521, Upstream PR #16328, @anfernee)
* endpoint: trigger k8s sync controller on identity update (Backport PR #16438, Upstream PR #16381, @jibi)
* Fix "unable to update ipcache map entry on pod add" harmless log warnings (Backport PR #16384, Upstream PR #16286, @aanm)
* Fix bug where Cilium allocates a new router (`cilium_host`) IP upon node reboot, breaking connectivity especially with IPsec (Backport PR #16438, Upstream PR #16307, @christarazi)
* Fix bug where users were unable to use node-selectors in the BGP configuration when using BGP support (Backport PR #16521, Upstream PR #16341, @christarazi)
* Fix bug with Helm chart where a user could not enable BGP and set Operator resources. (Backport PR #16438, Upstream PR #16273, @rkage)
* Fixed bug causing policy realization being skipped in some scenarios with endpoint identity churn. (Backport PR #16384, Upstream PR #16271, @jrajahalme)
* helm: Fix patch failure when updating `hubble-generate-certs` (Backport PR #16438, Upstream PR #16373, @gandro)
* Ignore K8s namespace events that have the same labels (Backport PR #16384, Upstream PR #16268, @aanm)
* install: Allow setting enable-health-check-nodeport to 'false' (Backport PR #16438, Upstream PR #16323, @dctrwatson)
* ipam: fix crd mode (Backport PR #16521, Upstream PR #16493, @joamaki)
* loader: Revert incorrect initialization of endpoints in chaining mode (Backport PR #16384, Upstream PR #16227, @pchaigno)
* Remove previous PERM ARP entries installed by Cilium when kube-proxy-replacement and IPSec are disabled. (Backport PR #16521, Upstream PR #16359, @aanm)
**CI Changes:**
* .github: Cancel outdated GitHub workflows (Backport PR #16269, Upstream PR #16199, @pchaigno)
* .github: Don't persist credentials in repository (Backport PR #16384, Upstream PR #16052, @pchaigno)
* .github: Don't wait for GKE cluster cleanup (Backport PR #16384, Upstream PR #16319, @pchaigno)
* .github: Fix concurrency group comment triggers (Backport PR #16384, Upstream PR #16310, @pchaigno)
* .github: Fix error triggered by large comments (Backport PR #16438, Upstream PR #16360, @pchaigno)
* .github: Fix scheduled end-to-end tests (Backport PR #16384, Upstream PR #16274, @pchaigno)
* .github: Skip unnecessary workflow steps (Backport PR #16269, Upstream PR #16157, @pchaigno)
* .github: Speed up cluster cleanups in end-to-end tests (Backport PR #16269, Upstream PR #16207, @pchaigno)
* ci: add slack notification to GH actions (Backport PR #16269, Upstream PR #16218, @nebril)
* ci: restart portmap service on CI nodes (Backport PR #16521, Upstream PR #16506, @nebril)
* examples, connectivity-check, test: Use even-numbered nodePort (Backport PR #16269, Upstream PR #16158, @christarazi)
* helm,test: Add standalone L4LB XDP tests in a form of Github Action (Backport PR #16521, Upstream PR #16338, @brb)
* Improve ipsec compile-time testing in CI (Backport PR #16269, Upstream PR #15872, @joestringer)
* Make LRP restore test logic robust and optimized (Backport PR #16384, Upstream PR #16194, @aditighag)
* node: fix arpping test (Backport PR #16521, Upstream PR #16432, @jibi)
* test/helpers: Fix incorrect count of endpoints (Backport PR #16521, Upstream PR #16437, @pchaigno)
* test: Instrument LB IP via BGP test with debug-events (Backport PR #16521, Upstream PR #16445, @christarazi)
* test: Quarantine fragment tracking test on GKE (Backport PR #16269, Upstream PR #16051, @pchaigno)
* test: Specify node-selectors in BGP configmap (Backport PR #16521, Upstream PR #16412, @christarazi)
* test: Use new test-verifier image in K8sVerifier (Backport PR #16438, Upstream PR #16231, @pchaigno)
**Misc Changes:**
* .github: add 'stable' tag as part of the v1.10 releases (#16404, @aanm)
* Add missing bpftool map dumps (Backport PR #16384, Upstream PR #16055, @h3llix)
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16369, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16436, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16415, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 (#16352, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 (#16331, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16533, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 (#16468, @dependabot[bot])
* Clarify one-time setup for backporting (Backport PR #16438, Upstream PR #16016, @christarazi)
* contrib: simplify check-docker-images script (Backport PR #16384, Upstream PR #16176, @aanm)
* daemon: Improve logging of device auto-detection (Backport PR #16438, Upstream PR #16118, @brb)
* docs: add a "Copy Commands" button for shell-session snippets (Backport PR #16521, Upstream PR #16408, @qmonnet)
* docs: add a reference of helm values (Backport PR #16521, Upstream PR #16238, @bmcustodio)
* docs: Clarify coordination for backporting process (Backport PR #16269, Upstream PR #15989, @christarazi)
* docs: Clarify LRP loop related note (Backport PR #16438, Upstream PR #16342, @aditighag)
* docs: document the policy for backporting documentation changes (Backport PR #16384, Upstream PR #16137, @qmonnet)
* docs: ENIs should not be managed by the OS (Backport PR #16521, Upstream PR #16186, @gandro)
* docs: fix a typo in Helm installation documentation (Backport PR #16384, Upstream PR #16325, @netflash)
* docs: Fix build failure (Backport PR #16521, Upstream PR #16454, @pchaigno)
* docs: Fix Helm instructions for BGP (Backport PR #16384, Upstream PR #16263, @xentobias)
* docs: fix some dead links (Backport PR #16384, Upstream PR #16336, @aanm)
* docs: fix warnings for documentation build, use a linter (Backport PR #16521, Upstream PR #16407, @qmonnet)
* docs: Fix WireGuard spelling (Backport PR #16384, Upstream PR #16293, @gandro)
* docs: mark node-to-node IPSec encryption as beta (Backport PR #16521, Upstream PR #16200, @qmonnet)
* docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 (Backport PR #16384, Upstream PR #16288, @aanm)
* docs: Update troubleshooting for 1.10 (Backport PR #16384, Upstream PR #16081, @twpayne)
* docs: use `.. code-block:: shell-session` wherever relevant (Backport PR #16521, Upstream PR #16474, @qmonnet)
* docs: various fixes to documentation, notably Getting Started Guides (Backport PR #16384, Upstream PR #16126, @nbusseneau)
* examples: add an example of a hubble-cli Deployment (Backport PR #16521, Upstream PR #16459, @kaworu)
* Improve author attribution scripts (Backport PR #16269, Upstream PR #15899, @joestringer)
* Makefile, contrib: Add script to create kind cluster (Backport PR #16384, Upstream PR #12527, @christarazi)
* pkg/k8s: add pod IP event change (Backport PR #16438, Upstream PR #16190, @aanm)
* Refactored, renamed and small misc changes in GH workflows (Backport PR #16384, Upstream PR #16312, @aanm)
* Specify scrape interval for Hubble metrics (Backport PR #16269, Upstream PR #16214, @christian-2)
* Update base image to fix potential security vulnerabilities detected by image scanners. (#16527, @aanm)
* Update test/packet instructions for running CI tests on dedicated instances (Backport PR #16438, Upstream PR #16423, @christarazi)
* v1.10: Update Go to 1.16.5 (#16429, @tklauser)
* vendor: Bump go.universe.tf/metallb (Backport PR #16269, Upstream PR #16187, @christarazi)
**Other Changes:**
* install: Update image digests for v1.10.0 (#16243, @aanm)
## v1.10.0
Summary of Changes
------------------
**Major Changes:**
* Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
* Add AlibabaCloud Operator (#15160, @l1b0k)
* Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
* Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
* Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using `enable-ipv6-masquerade` agent option. (#14124, @fristonio)
* Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
* doc: Add Code of Conduct (#15305, @tgraf)
* doc: Deprecate managed etcd mode (#15464, @tgraf)
* doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
* Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
* Integrate Wireguard for pod2pod encryption (#15383, @brb)
* Rework Quick & Helm Installation Guide (#15695, @tgraf)
* Update to Kubernetes 1.20 (#14248, @aanm)
**Minor Changes:**
* Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
* Add helm option enableEgressGateway (#15777, @anfernee)
* Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
* Add new `cilium_bpf_map_pressure` metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano)
* Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
* Add support for agent events to Hubble API (#14168, @tklauser)
* Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
* Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
* Adds capability to filter events based on IP version. (#14556, @nyrahul)
* Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
* agent: Silence some useless warnings (#15450, @tgraf)
* api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
* arp: Add retries to arping (#14601, @brb)
* AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (Backport PR #16210, Upstream PR #15828, @Smana)
* bpf: add LB ipip health check datapath (#14610, @borkmann)
* bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
* bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
* bpf: bpf host routing for tunneling (#15148, @borkmann)
* Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
* CI 3.0: A New Hope (#15144, @tgraf)
* ci: Increase time limit from 15m to 30m (#15371, @tgraf)
* cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
* cilium: Add encryption mode to `cilium status` (#15833, @gandro)
* cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
* cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
* Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
* Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
* custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
* daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
* daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
* daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
* daemon: Remove --help flags grouping (#15564, @brb)
* datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
* datapath: Create MAC_BY_IFINDEX_MACRO in Go (#15267, @brb)
* doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
* doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
* doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
* doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
* docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
* docs: Move host firewall out of beta (#15761, @pchaigno)
* docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
* Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
* Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
* Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
* examples: remove obsolete Mesos example (#15377, @tklauser)
* Expose more syslog options (#15545, @jaffcheng)
* Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
* helm: add ca.crt to tls secrets (#15443, @kaworu)
* helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
* helm: move IPSec options under encryption.ipsec (#15846, @jibi)
* helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
* Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
* Honor `allocateLoadBalancerNodePorts` in Kubernetes LoadBalancer service spec. (#14465, @fristonio)
* Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
* Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
* hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
* hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
* Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
* hubble: Add node name filter (#13938, @twpayne)
* hubble: Add recorder API (#15680, @gandro)
* hubble: add separate API to get agent and debug events (#15715, @tklauser)
* hubble: Add support for Cilium debug events (#14602, @gandro)
* hubble: allow filtering by agent event subtypes (#14305, @tklauser)
* hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
* hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
* hubble: Support for debug capture events (#14432, @gandro)
* images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
* Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
* install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
* iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
* iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
* Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
* k8s: add support for ipFamilies to services (#14914, @fristonio)
* kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
* maglev: Parallelize calculation of permutations (#14597, @brb)
* Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
* Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
* Minor README updates (#15372, @tgraf)
* node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
* operator: added --pprof flag/endpoint (#14903, @mvisonneau)
* Remove deprecated v1.10 options (#14291, @jibi)
* Remove legacy flannel integration (#15786, @tgraf)
* Remove some obsolete documentation (#15370, @tgraf)
* Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
* Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
* set cilium agent only run on linux nodes (#14495, @answer1991)
* Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
* Support host policies with per-endpoint routes (#15217, @pchaigno)
* Tag ENIs at creation time (#14500, @ungureanuvladvictor)
* TCP flags based filter for hubble. (#13826, @nyrahul)
* Updates & clarifications to Governance Rules (#15325, @tgraf)
* wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
* wireguard: Add support for managed K8s (#15674, @gandro)
* wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
**Bugfixes:**
* Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
* Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
* cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
* daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
* daemon/ipam: correct total IP count in `cilium status` output (#15707, @ArthurChiao)
* daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (Backport PR #16210, Upstream PR #16085, @jibi)
* Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
* Drop a `@` in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
* encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
* eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
* Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (Backport PR #16150, Upstream PR #16084, @pchaigno)
* Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
* Fix backwards compatibility of status API (#15143, @tgraf)
* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
* Fix ICMP Echo ID placement in CT maps (#15275, @brb)
* Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
* Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
* hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
* ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
* ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
* kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
* lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
* nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
* operator: release leader lease lock on operator exit (#14554, @fristonio)
* service: Restore Maglev table when M changes (#14469, @brb)
* Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
* ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
* Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
* Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
* wireguard: Fix traffic counters in `cilium debuginfo` (Backport PR #16210, Upstream PR #16178, @gandro)
**CI Changes:**
* .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
* .github/workflows: remove `go version` commands from golangci-lint job (#15238, @tklauser)
* .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
* .travis: Disable email notifications on master failures (#15373, @pchaigno)
* .travis: fail Travis if race detection builds also fail (#15199, @aanm)
* <!-- Enter the release note text here if needed or remove this section! --> (#15659, @Ankurk99)
* <!-- Enter the release note text here if needed or remove this section! --> (#15796, @michi-covalent)
* Add 'nilness' to golangci (#14066, @joestringer)
* Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
* Add cyclonus network policy tester. (#14889, @mattfenwick)
* bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
* ci-gke: Add -v=6 for `kubectl get pods` (Backport PR #16049, Upstream PR #15994, @michi-covalent)
* ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
* ci: add AKS workflow (#15466, @nbusseneau)
* ci: add CodeQL analysis (#14514, @twpayne)
* ci: add EKS workflow (#15465, @nbusseneau)
* ci: add gke workflow (#15416, @nebril)
* ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
* ci: Bump vagrant boxes (#14982, @gandro)
* ci: change manifest path for perf test (#14183, @nebril)
* ci: Check gke cluster state before selecting it (#14130, @nebril)
* ci: Fix `BGP router does not have route for LB IP` (#15771, @gandro)
* ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
* ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
* ci: fix nightly image (#14170, @nebril)
* ci: Fix nightly image (#15605, @nebril)
* ci: fix nightly image sha (#15708, @nebril)
* ci: fix/update GKE workflow (#15482, @nbusseneau)
* ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @nbusseneau)
* ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
* ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
* ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
* ci: skip gke clusters with ongoing operations (#14348, @nebril)
* ci: use host images in master job (#14311, @nebril)
* ci: use host kubectl in k8s-all (#14302, @nebril)
* ci: Use images built on host in k8s-all job (#14292, @nebril)
* ci: use images from quay.io (#14937, @nebril)
* ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @nbusseneau)
* ci: wait for quay images and boot vms in parallel (#15300, @nebril)
* cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
* cilium: test encryption workflows for GKE (#15595, @jrfastab)
* cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
* connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
* contrib: Add integration testing shell helpers (#14404, @joestringer)
* daemon: Do not attach bpf_host to L3 dev if skb_change_head is unavailable (#15343, @brb)
* docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
* DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
* e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
* Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
* jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
* jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
* jenkinsfiles: remove unused environment variables (#15125, @aanm)
* labelsfilter: Fix test for default filters (#15024, @pchaigno)
* node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
* Remove docker-compose leftovers (#14426, @tklauser)
* Remove unused jenkinsfiles (#15578, @aanm)
* Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
* Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
* Revert "refactor: Remove `time.After` from any Loops" (#14371, @tklauser)
* run bpf_ct_tests as part of CI (#14916, @kkourt)
* test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
* test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
* test/helpers: remove unused functions and consts (#15241, @tklauser)
* test/helpers: Support non-standard nodes names with NO_CILIUM_ON_NODE (#15384, @christarazi)
* test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
* test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
* test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
* test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
* test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
* test: add iptables masquerading without random-fully test (#14476, @jibi)
* test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
* test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
* test: Always select nodes by label (#14867, @pchaigno)
* test: change accees of go dir in test vm (#15265, @nebril)
* test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
* test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
* test: disable fqdn connectivity test during restart (#13930, @tklauser)
* test: Disable host firewall in incompatible tests (#14545, @pchaigno)
* test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
* test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
* test: Extend coverage for host policies enforcement (#14822, @pchaigno)
* test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
* test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
* test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
* test: Fix incorrect uninstall in K8sBandwidth (Backport PR #16210, Upstream PR #16053, @pchaigno)
* test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
* test: Fix local tests (#15130, @pchaigno)
* test: Fix the search for VIPs in `cilium service list` (Backport PR #16049, Upstream PR #15968, @pchaigno)
* test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
* test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
* test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
* test: Misc improvements (Backport PR #16210, Upstream PR #16064, @pchaigno)
* test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
* test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
* test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
* test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
* test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
* test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
* test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
* test: Reduce build durations (#14223, @pchaigno)
* test: Reenable debug mode for monitor tests (#15127, @pchaigno)
* test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
* test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
* test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
* test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
* test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
* test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
* test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
* test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
* test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
* test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
* test: Unquarantine the random-fully test (#15205, @pchaigno)
* test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
* test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
* test: Use node labels when testing host policies (#15714, @pchaigno)
* test: Use stable tags instead of :latest (#14093, @pchaigno)
* test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
* vagrant: bump all box versions (#14274, @jibi)
* vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
* vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
* wireguard: Add pod2pod encryption tests (#15573, @brb)
* wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
* workflows: add encryption for AKS testing (#15657, @nbusseneau)
* workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
* workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
* workflows: fix GKE `if` condition (#15788, @nbusseneau)
* workflows: fix schedule triggers (#15813, @nbusseneau)
* workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
* workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
* workflows: small fixes to Kind (#15658, @nbusseneau)
**Misc Changes:**
* .dockerignore: add *.box files (#14045, @kkourt)
* .github: add GitHub actions to build images (#14917, @aanm)
* .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
* .github: change dependabot interval to daily (#15651, @aanm)
* .github: change step order (#14703, @aanm)
* .github: checkout right SHA for base images (#15069, @aanm)
* .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
* .github: Fix cilium project management for v1.9 (#14065, @joestringer)
* .github: fix correct sha for images build (#15065, @aanm)
* .github: fix markdown typo (#15792, @aanm)
* .github: publish tags from master branch in official repositories (#15078, @aanm)
* .github: set :latest tag for merges into master branch (#14933, @aanm)
* .github: set different workflow IDs (#14932, @aanm)
* .github: update GH actions on stable branches (#15208, @aanm)
* .github: update release process (#14672, @aanm)
* .github: update steps for the release process of a RC (#15319, @aanm)
* .github: update v1.9 cilium-actions project number (#14683, @aanm)
* .github: use quay.io images in smoke tests (#15005, @aanm)
* .gitignore: add .vscode/ directory (#14664, @ti-mo)
* <!-- Enter the release note text here if needed or remove this section! --> (#15113, @TrevorTaoARM)
* Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
* Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
* Add custom resource for egress nat policies (#14998, @MasterZ40)
* Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
* add doc for AlibabaCloud ENI (#15512, @l1b0k)
* Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
* Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
* add GH action to push hot fix images into -dev repositories (#15061, @aanm)
* Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
* Add multi-arch support to all images (#15023, @aanm)
* add support for EndpointSlice V1 (#15524, @aanm)
* Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
* Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
* Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
* Add warning log when host enable SELinux (#15414, @konghui)
* add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
* add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
* add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
* Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
* Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
* Added flag `proxy.prometheus.enabled` to helm chart for disabling service (#14688, @yuriydzobak)
* Added Tailor Brands to users (#14605, @liorrozen)
* Address #13894 nits (#13985, @jibi)
* Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
* Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
* Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
* agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
* alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
* all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
* all: don't use the deprecated io/ioutil package (#15242, @tklauser)
* all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
* allocator: Quieten local key allocation logging (#14804, @joestringer)
* api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
* arp: Set deadline for each retry (#14651, @brb)
* Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
* AUTHORS: Update email (#15885, @jrajahalme)
* aws/eni/limits: lazily populate limits map (#15523, @tklauser)
* azure: Fix API rate limit test (#15493, @twpayne)
* bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
* bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
* bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
* bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
* bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
* bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
* bpf: fixes for host routing (#15240, @borkmann)
* bpf: initial pcap exporter for lb (#15376, @borkmann)
* bpf: lb pmtu discovery support (#14980, @borkmann)
* bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
* bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
* bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
* bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
* bpf_host: declare variables in the beginning of the block (#15560, @johngv2)
* build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
* build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
* build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
* build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16109, @dependabot[bot])
* build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
* build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
* build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
* build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
* build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
* build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
* build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
* build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
* build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
* build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
* build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
* build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
* build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
* build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
* build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
* build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
* build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
* build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
* build: Minor fixes to .gitignore and docs (#13626, @twpayne)
* Bump alpine base image to 3.13.0 (#14718, @tklauser)
* Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
* Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
* Bump gops to 0.3.16 (#15213, @tklauser)
* Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
* Bump vendored dependencies (#14572, @tklauser)
* Bump vendored dependencies (part 2) (#14606, @tklauser)
* bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
* Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
* Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
* ci/dependabot: fix labels (#14773, @rolinh)
* ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
* ci: Add initial dependabot configuration (#14694, @twpayne)
* ci: build race-detection images in GH actions (#14979, @nebril)
* CI: fix cron values for CodeQL analysis (#14575, @twpayne)
* ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
* ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
* cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
* cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
* cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
* cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
* cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
* cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
* cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
* cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
* cilium: pcap recorder agent management (#15633, @borkmann)
* cilium: pcap recorder follow ups (#15782, @borkmann)
* cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
* Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
* cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
* cli: Add LB IP to cilium status (#14445, @brb)
* cli: Rename kpr Protocols status field (#14977, @brb)
* cocinelle: update to python3 (#14522, @kaworu)
* CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
* CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
* CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
* CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
* CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
* CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
* CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
* CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
* CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
* CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
* CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
* CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
* CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
* CODEOWNERS: Update required reviews (#15009, @pchaigno)
* Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
* Consistently use structured logging for errors (#13814, @tklauser)
* Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
* contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
* contrib: add dual-stack support for dev VMs (#15827, @aanm)
* contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
* contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
* contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
* contrib: Make upstream commit check more generic (Backport PR #16210, Upstream PR #16160, @joestringer)
* Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
* crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
* custom calls: cleanup and improve a few elements (#15480, @qmonnet)
* daemon: Add hidden --cflags debug command (#15549, @joestringer)
* daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
* daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
* daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
* daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
* daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
* daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
* daemon: Remove unnecessary log (#15776, @christarazi)
* daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
* daemon_main: fix comments error (#14194, @lrouter)
* datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
* datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
* datapath/linux/probes: remove unused (*ProbeManager).GetMisc (#15647, @tklauser)
* datapath/linux: Fix clang version regex check (#14742, @christarazi)
* datapath/loader: fix privileged test build (#14335, @tklauser)
* datapath: always generate BTF debug information (#14166, @jibi)
* datapath: migrate off j-keck/arping (#13112, @vladdy)
* datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
* datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
* datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
* dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
* dependabot: Fix labels (#14717, @pchaigno)
* dependabot: ignore ginkgo updates (#14821, @tklauser)
* dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
* dependabot: limit number of open PRs to 1 (#14837, @tklauser)
* dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
* dev-doctor: Add Helm check (#14001, @twpayne)
* dev-doctor: Add more checks (#14229, @twpayne)
* distinguish between FIN and RST on datapath (#14097, @kkourt)
* doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
* doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
* doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
* Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
* doc: Update AUTHORS file (#14719, @kaworu)
* doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
* docker: bump cilium-iproute2 image (#14258, @jibi)
* Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
* docker: Pre-pull images correctly (#14759, @jrajahalme)
* Dockerfile image build process follow-ups (#15110, @aanm)
* Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
* Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
* docs, gsg: add link to plumbers talk on service lb mechanisms (Backport PR #16210, Upstream PR #16171, @borkmann)
* docs, gsg: minor edits to kpr guide and note on hybrid use (Backport PR #16210, Upstream PR #16169, @borkmann)
* docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
* docs/encryption: Document limitations and workarounds (#15876, @gandro)
* docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
* docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
* docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
* docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
* docs: Add az login command to AKS getting started guide (#13926, @twpayne)
* docs: Add BGP GSG (#15519, @christarazi)
* docs: Add caveat for OpenShift (Backport PR #16210, Upstream PR #16161, @christarazi)
* docs: add cilium-operator technical overview documentation (#14530, @fristonio)
* docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
* docs: Add info about Envoy smoke test (#14359, @jrajahalme)
* docs: add information about ConfigMap updates (Backport PR #16210, Upstream PR #16141, @aanm)
* docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
* docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
* docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
* docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
* docs: Add Wireguard Getting Started Guide (#15787, @gandro)
* docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
* docs: clarify janitor duties (#14127, @jibi)
* docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
* docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
* docs: document final steps for nomination of new committers (#15378, @qmonnet)
* docs: Document update-cmdref make target usage (#14925, @nebril)
* docs: example cluster-wide health endpoint (#15348, @Shikugawa)
* docs: Expand triage description (#14235, @joestringer)
* docs: Fix commands to build dev. docker images (#15231, @pchaigno)
* docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
* docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
* docs: Fix hint for updating cmdref (#13795, @brb)
* docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
* docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
* docs: fix llvm git repo and clang folder (#14812, @fnzv)
* docs: Fix pip installation (#15705, @brb)
* docs: Fix sed in OKD GSG (#15822, @christarazi)
* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
* docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
* docs: Improve DNS port documentation (#14144, @joestringer)
* docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
* docs: Improve wording around Helm values in OKD GSG (Backport PR #16210, Upstream PR #16069, @errordeveloper)
* docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
* docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
* docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
* docs: Recommend use of backport scripts (#14011, @pchaigno)
* docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
* docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
* docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
* docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
* docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
* docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
* docs: Tweak backporting doc (#15369, @twpayne)
* docs: update dependency table to add links and download command (#15055, @kaitoii11)
* docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
* docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
* docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
* docs: Updates steps when using submit-backport (#14799, @pchaigno)
* docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
* Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
* Documentation: Update list of Jenkins jobs (#14592, @twpayne)
* Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
* ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
* Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
* Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
* endpoint: Add named type for endpoint state (#15614, @ammmk)
* endpoint: Enhance policy map sync (#14370, @jrajahalme)
* endpoint: Fix typo in CT clean logic (#14137, @joestringer)
* endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
* ENI migration followups (#15702, @christarazi)
* envoy: Update proxylib interface (#14560, @jrajahalme)
* envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
* examples: Split host policies for dev. VMs (#15577, @pchaigno)
* Export and use agent event sub-types for Hubble (#14415, @tklauser)
* Extend endpoint related interfaces (#14743, @aditighag)
* Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
* Fix a typo in terminology documentation (#14181, @didier-durand)
* fix broken link on readme (#13981, @kaitoii11)
* Fix cilium typos (#14180, @twpayne)
* Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
* Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
* Fix integer conversions (#14561, @twpayne)
* Fix logging for expired FQDN IPs (Backport PR #16210, Upstream PR #16030, @youssefazrak)
* Fix rawgit links in README.rst (#14092, @vignesh-codes)
* Fix typo in grpc example (#14874, @teyuchang)
* Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
* Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
* fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
* fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
* gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
* health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
* Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
* Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
* hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
* hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
* hubble: allow to filter agent events (#14242, @tklauser)
* hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
* hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
* hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
* images, vendor: update gops to 0.3.17 (#15299, @tklauser)
* images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
* images/runtime: update ubuntu base image (#15615, @aanm)
* images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
* images: re-write README.md (#15108, @aanm)
* images: squash common operator images in a single Dockerfile (#15849, @aanm)
* Implement egress gateway datapath (#14830, @anfernee)
* Improve pod deletion resiliency (#14898, @joestringer)
* install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
* install/kubernetes: remove quick-install from master branches (#15250, @aanm)
* install/kubernetes: set k8s min version manually (#14778, @aanm)
* install: Remove 1.9 RC workaround (#13863, @joestringer)
* iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
* iptables: use CILIUM_* chains for per-endpoint no CT rules (#15411, @jibi)
* ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
* issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
* jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
* k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
* k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
* k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
* k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
* k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
* k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
* k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
* k8s: Update libraries to v1.20.1 (#14481, @christarazi)
* kvstore: Fix event watcher serialization (#14101, @joestringer)
* lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
* loader : Log upsert and remove route errors (#15339, @h3llix)
* loader : Log upsert and remove route errors (#15525, @h3llix)
* maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
* MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
* make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
* make: Use buildkit for docker targets by default (#14714, @jrajahalme)
* make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
* Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
* Makefile: Fix microk8s image target (#15516, @joestringer)
* Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
* Makefile: Remove microk8s prepull script (#14148, @joestringer)
* Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
* Makefile: Simplify to run faster (#13939, @jrajahalme)
* Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
* Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
* Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
* Modified path of fuzzer (#14813, @AdamKorcz)
* monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
* monitor: Display human-readable identities (#13601, @pchaigno)
* node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
* node/manager: remove unused *Manager methods (#15106, @tklauser)
* node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
* Observer to ignore unhandled debug event types (#14589, @anfernee)
* operator: use logfields in cilium operator logging (#14548, @fristonio)
* Optimize Label.String() (#15089, @michi-covalent)
* pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
* pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
* pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
* pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
* pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (Backport PR #16210, Upstream PR #16153, @aanm)
* pkg/k8s: remove unused code (#14376, @aanm)
* pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
* pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
* pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
* pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
* pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
* policy: Fix typo in issue link (#15251, @joestringer)
* policy: improve CNP initial sync (#15492, @jaffcheng)
* policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
* Prepare branch for v1.10 release cycle (#15868, @joestringer)
* Prepare for 1.10.0 development (#13617, @aanm)
* Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
* Prepare v1.10.0-rc0 (#15318, @aanm)
* README: update security releases (#13977, @aanm)
* Refactor endpoint management (#14745, @joestringer)
* refactor: Remove `time.After` from any Loops (#14265, @nathanjsweet)
* refactor: Remove `time.After` from any Loops (#14380, @nathanjsweet)
* release: Automate image digest PR creation (#15818, @joestringer)
* Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
* Remove NEEDS_RELAX_VERIFIER (#15610, @rscampos)
* Remove references for old k8s version from tests (#14471, @fristonio)
* remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
* rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
* Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
* Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
* Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
* Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
* Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
* Revert accidentally introduced port change (#14328, @brandshaide)
* Revert exported NoTrack rule function names. (#15505, @Weil0ng)
* Simplify runtime/builder image update (#15326, @tklauser)
* Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
* source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
* stale-bot: stale PRs with assignees (#14364, @aanm)
* Stub out some functionality on non-Linux platforms (#15355, @joestringer)
* Switch metrics map to cilium/ebpf (#14582, @jibi)
* test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
* test/Makefile: fix registryCredentials typo (#14051, @kkourt)
* test/packet: Default download to /tmp (#14055, @pchaigno)
* test: Allow test VMs have swap (#14506, @jrajahalme)
* test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
* test: get cilium pods inside background closure (#14057, @kkourt)
* test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
* test: Remove nop condition from tests (#15541, @pchaigno)
* test: update add_vagrant_box.sh (#15831, @twpayne)
* test: update k8s tested versions (#15528, @aanm)
* test: update k8s to 1.20 (#14315, @aanm)
* test: update k8s to 1.21.0 (#15616, @aanm)
* tools: Add initial dev-doctor (#13772, @twpayne)
* treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
* ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
* Update authors file (#13866, @joestringer)
* Update AWS deps (#15759, @ungureanuvladvictor)
* Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
* Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
* Update CNI network plugin to 0.9.0 (#14620, @tklauser)
* Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
* Update Go to 1.15.5 (#14013, @tklauser)
* Update Go to 1.15.6 (#14298, @tklauser)
* Update Go to 1.15.7 (#14662, @tklauser)
* Update Go to 1.15.8 (#14983, @tklauser)
* Update Go to 1.16 (#15068, @tklauser)
* Update Go to 1.16.1 (#15314, @tklauser)
* Update Go to 1.16.2 (#15344, @tklauser)
* Update Go to 1.16.3 (#15566, @tklauser)
* Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
* Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
* Update release process (#15034, @aanm)
* Update stable releases (#13804, @christarazi)
* Update stable releases (#14282, @aanm)
* Update stable releases (#14671, @aanm)
* Update stable releases (#14706, @aanm)
* Update stable releases (#14763, @joestringer)
* Update stable releases (#14896, @christarazi)
* Update stable releases (#15018, @joestringer)
* Update stable releases (#15122, @joestringer)
* Update stable releases (#15313, @joestringer)
* Update stable releases (#15805, @joestringer)
* Update USERS.md (#14831, @imathu)
* Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
* Updates golang:1.16.3 digest (#15790, @Weil0ng)
* Use go embed and remove go-bindata dependency (#15834, @aanm)
* Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
* Use time.Truncate of more recent Go (#14493, @youssefazrak)
* Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
* Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
* v1.10: Update Go to 1.16.4 (#16061, @tklauser)
* Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
* Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
* vagrant: bump all box versions (#14632, @tklauser)
* vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
* vagrant: bump box versions (#14736, @tklauser)
* vagrant: bump box versions (#15090, @tklauser)
* vagrant: bump box versions, again (#15129, @tklauser)
* vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
* vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
* vagrant: make restart.sh executable (#13625, @twpayne)
* Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
* Various documentation / comments fixes and improvements (#14439, @kaworu)
* vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
* vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
* vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
* vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
* vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
* vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
* vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
* vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
* vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
* vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
* wireguard: Better error message if kernel support is lacking (#15825, @gandro)
* wireguard: Fix rp_filter setting (#15542, @brb)
* wireguard: Improve logging (#15807, @brb)
* wireguard: Remove operator and disable KPR encryption (#15565, @brb)
**Other Changes:**
* install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
* install: Update image digests for v1.10.0-rc2 (#16174, @aanm)
* Prepare for release v1.10.0-rc1 (#15897, @joestringer)
* Prepare for release v1.10.0-rc2 (#16167, @aanm)
* workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
## v1.10.0-rc2
Summary of Changes
------------------
**Major Changes:**
* doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
**Minor Changes:**
* daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
* doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
* doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
* doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
* Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
* images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
* install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
* node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
* Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
* wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
**Bugfixes:**
* cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
* Drop a `@` in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
* eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
* Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (Backport PR #16150, Upstream PR #16084, @pchaigno)
* Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
* ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
**CI Changes:**
* ci-gke: Add -v=6 for `kubectl get pods` (Backport PR #16049, Upstream PR #15994, @michi-covalent)
* ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
* connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
* jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
* node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
* test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
* test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
* test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
* test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
* test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
* test: Fix the search for VIPs in `cilium service list` (Backport PR #16049, Upstream PR #15968, @pchaigno)
* test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
* test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
* wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
**Misc Changes:**
* Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
* bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
* CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
* contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
* contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
* doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
* doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
* Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
* docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
* docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
* docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
* docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
* docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
* docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
* docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
* docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
* docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
* docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
* docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
* docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
* docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
* docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
* ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
* Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
* Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
* Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
* issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
* Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
* node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
* Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
* Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
* Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
* v1.10: Update Go to 1.16.4 (#16061, @tklauser)
* vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
* vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
**Other Changes:**
* install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
* workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
## v1.10.0-rc1
**Note**: The summary of changes below reflect the diff between the last
release candidate (v1.10.0-rc0) and tag v1.10.0-rc1.
Summary of Changes
------------------
**Major Changes:**
* Add AlibabaCloud Operator (#15160, @l1b0k)
* Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
* Add a Getting Started Guide for Rancher Kubernetes Engine (#15323, @seanmwinn)
* doc: Add Code of Conduct (#15305, @tgraf)
* doc: Deprecate managed etcd mode (#15464, @tgraf)
* Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
* Integrate Wireguard for pod2pod encryption (#15383, @brb)
* Rework Quick & Helm Installation Guide (#15695, @tgraf)
* Implement egress gateway datapath (#14830, @anfernee)
**Minor Changes:**
* Add helm option enableEgressGateway (#15777, @anfernee)
* Added a new daemon option `--tofqdns-idle-connection-grace-period`. (#15458, @jrajahalme)
* Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
* agent: Silence some useless warnings (#15450, @tgraf)
* bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
* Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
* ci: Increase time limit from 15m to 30m (#15371, @tgraf)
* cilium: Add encryption mode to `cilium status` (#15833, @gandro)
* custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
* daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
* daemon: Remove --help flags grouping (#15564, @brb)
* datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
* datapath: Create MAC\_BY\_IFINDEX\_MACRO in Go (#15267, @brb)
* doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
* docs: Move host firewall out of beta (#15761, @pchaigno)
* docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
* examples: remove obsolete Mesos example (#15377, @tklauser)
* Expose more syslog options (#15545, @jaffcheng)
* Hash IPSec keys in the bugtool. Unit test are also added. (#15550, @h3llix)
* helm: add ca.crt to tls secrets (#15443, @kaworu)
* helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
* helm: move IPSec options under encryption.ipsec (#15846, @jibi)
* helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
* hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
* hubble: Add recorder API (#15680, @gandro)
* hubble: add separate API to get agent and debug events (#15715, @tklauser)
* Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
* iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
* iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
* k8s: add support for ipFamilies to services (#14914, @fristonio)
* Minor README updates (#15372, @tgraf)
* node-neigh: Query once netlink for neigh discovery device (#15431, @brb)
* PolicyImportErrorsTotal metric is now incremented also from k8s policy watchers (#15820, @jrajahalme)
* Remove legacy flannel integration (#15786, @tgraf)
* Remove some obsolete documentation (#15370, @tgraf)
* Support host policies with per-endpoint routes (#15217, @pchaigno)
* Updates & clarifications to Governance Rules (#15325, @tgraf)
* VM support has been updated to make use of the new `cilium` cluster CLI tool. (#15320, @jrajahalme)
* wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
* wireguard: Add support for managed K8s (#15674, @gandro)
**Bugfixes:**
* `toFQDNs` rules now allow underscores in match patterns and names (#15801, @jrajahalme)
* bpf: Fix defines in policy.h (#15763, @pchaigno)
* bpf: fix map\_array\_get\_16 backend retrieval (#15808, @borkmann)
* cilium: encryption, auto-discover interface and subnet (#15357, @jrfastab)
* ctmap: do not call InitMapInfo() in init() (#15590, @kkourt)
* daemon/ipam: correct total IP count in `cilium status` output (#15707, @ArthurChiao)
* Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
* encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
* eni: Assign primary IP to support multiple VPC CIDRs (#15453, @gandro)
* Envoy is updated with security fixes for Envoy CVEs released on 4/15/2021 (#15725, @jrajahalme)
* Fix a bug that was causing Azure IPAM to not work when ApplicationSecurityGroups were attached to IPConfigurations of a NIC. (#15194, @AnishShah)
* Fix an issue where packets are dropped when a pod connects to itself via a service clusterIP. (#15321, @aditighag)
* Fix bug where any non-leader Operator in HA mode would crash updating CRDs (#15544, @christarazi)
* Fix channel panic from ipcache kvstore reconnect (#15668, @jomenxiao)
* Fix ethtool issues (#15622, @tklauser)
* Fix ICMP Echo ID placement in CT maps (#15275, @brb)
* Fix the initialization of host endpoint labels (#15780, @pchaigno)
* Fixing pods restart on nodes running containerd on COS (#14708, @fallard84)
* Handle events with pod IP and node IP addresses being modified (#15803, @aanm)
* ipam: Fix ENI routing for secondary CIDRs (#15303, @gandro)
* ipcache: Expose correct source in Cilium API (#15706, @gandro)
* kvstore/etcd: fix etcd rate limit (QPS) not working (#15742, @ArthurChiao)
* kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
* lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
* nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
* pkg/k8s: reset k8s event lag metric on pod add (#15804, @aanm)
* Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
* Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
**CI Changes:**
* .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
* .travis: Disable email notifications on master failures (#15373, @pchaigno)
* Github action to verify that every commit in a PR compiles on its own (#15659, @Ankurk99)
* Run cloud provider conformance tests every 6 hours (#15796, @michi-covalent)
* Add cyclonus network policy tester. (#14889, @mattfenwick)
* bpf: Extend datapath options for K8sVerifier test (#15540, @pchaigno)
* ci: add AKS workflow (#15466, @nbusseneau)
* ci: add EKS workflow (#15465, @nbusseneau)
* ci: add gke workflow (#15416, @nebril)
* ci: Fix `BGP router does not have route for LB IP` (#15771, @gandro)
* ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
* ci: Fix nightly image (#15605, @nebril)
* ci: fix nightly image sha (#15708, @nebril)
* ci: fix/update GKE workflow (#15482, @nbusseneau)
* ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
* ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
* cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
* cilium: test encryption workflows for GKE (#15595, @jrfastab)
* cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
* daemon: Do not attach bpf\_host to L3 dev if skb\_change\_head is unavailable (#15343, @brb)
* Remove unused jenkinsfiles (#15578, @aanm)
* Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
* test/gke: refactor test-clusters operations (#15863, @nbusseneau)
* test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
* test/helpers: Support non-standard nodes names with NO\_CILIUM\_ON\_NODE (#15384, @christarazi)
* test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
* test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
* test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
* test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
* test: Disable host firewall in incompatible tests (#14545, @pchaigno)
* test: ensure kubectl version is available for test run (#15748, @nebril)
* test: Format test-only's kernel\_version to avoid mistakes (#15743, @pchaigno)
* test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
* test: make RunsOnNetNextKernel() helper work with KERNEL="net-next" (#15395, @qmonnet)
* test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
* test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
* test: Skip K8sPolicy on GKE and 4.19 (#15762, @pchaigno)
* test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
* test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
* test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
* test: Use node labels when testing host policies (#15714, @pchaigno)
* test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
* vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
* wireguard: Add pod2pod encryption tests (#15573, @brb)
* workflows: add encryption for AKS testing (#15657, @nbusseneau)
* workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
* workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
* workflows: fix GKE `if` condition (#15788, @nbusseneau)
* workflows: fix schedule triggers (#15813, @nbusseneau)
* workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
* workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
* workflows: small fixes to Kind (#15658, @nbusseneau)
**Misc Changes:**
* .github: change dependabot interval to daily (#15651, @aanm)
* .github: fix markdown typo (#15792, @aanm)
* .github: remove unnecessary docker hub credentials (#15841, @aanm)
* .github: update steps for the release process of a RC (#15319, @aanm)
* Add Cluster Health metrics (#15380, @h3llix)
* Add custom resource for egress nat policies (#14998, @MasterZ40)
* add doc for AlibabaCloud ENI (#15512, @l1b0k)
* add support for EndpointSlice V1 (#15524, @aanm)
* Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
* Add warning log when host enable SELinux (#15414, @konghui)
* Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
* all: don't use the deprecated io/ioutil package (#15242, @tklauser)
* Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
* AUTHORS: Update email (#15885, @jrajahalme)
* aws/eni/limits: lazily populate limits map (#15523, @tklauser)
* azure: Fix API rate limit test (#15493, @twpayne)
* bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
* bpf: initial pcap exporter for lb (#15376, @borkmann)
* bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
* bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
* bpf\_host: declare variables in the beginning of the block (#15560, @johngv2)
* bugtool: dump iptables-legacy and iptables-nft (#15363, @h3llix)
* build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
* build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
* build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
* build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
* build(deps): bump pygments from 2.4.2 to 2.7.4 in /Documentation (#15495, @dependabot[bot])
* build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
* build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
* build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
* Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
* cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
* cilium: Fix EKS encryption panic and reinit path and add workflows test (#15669, @jrfastab)
* cilium: pcap recorder agent management (#15633, @borkmann)
* cilium: pcap recorder follow ups (#15782, @borkmann)
* CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
* CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
* CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
* CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
* CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
* contrib: add dual-stack support for dev VMs (#15827, @aanm)
* contrib: Clean output of submit-backport script (#15838, @pchaigno)
* contrib: fix remote overriding (#15328, @kaworu)
* custom calls: cleanup and improve a few elements (#15480, @qmonnet)
* daemon/cmd: fix Cilium version status output (#15649, @aanm)
* daemon: Add hidden --cflags debug command (#15549, @joestringer)
* daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
* daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
* daemon: Fix the init of the endpoints' datapath config (#15785, @pchaigno)
* daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
* daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
* daemon: Remove unnecessary log (#15776, @christarazi)
* datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
* datapath/linux/probes: remove unused (\*ProbeManager).GetMisc (#15647, @tklauser)
* datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
* doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
* docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
* docs/encryption: Document limitations and workarounds (#15876, @gandro)
* docs/policy: Clarify table for deny policy scenarios (#15836, @pchaigno)
* docs: Add BGP GSG (#15519, @christarazi)
* docs: add cilium-operator technical overview documentation (#14530, @fristonio)
* docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
* docs: Add Wireguard Getting Started Guide (#15787, @gandro)
* docs: De-duplicate k8s integration section (#15454, @joestringer)
* docs: document final steps for nomination of new committers (#15378, @qmonnet)
* docs: example cluster-wide health endpoint (#15348, @Shikugawa)
* docs: Fix commands for IPSec key rotations (#15481, @pchaigno)
* docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
* docs: Fix pip installation (#15705, @brb)
* docs: Fix sed in OKD GSG (#15822, @christarazi)
* docs: fix the Cilium namespace in GKE (#15463, @kaworu)
* docs: Hide "Edit on GitHub" buttons (#15579, @joestringer)
* docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
* docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
* docs: Tweak backporting doc (#15369, @twpayne)
* docs: Update DNS proxy timeout value (#15581, @aditighag)
* docs: update k3s installation instructions (#15503, @aanm)
* docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
* Documentation: fix key rotation command in encryption guide (#15365, @mauriciovasquezbernal)
* Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
* endpoint: Add named type for endpoint state (#15614, @ammmk)
* ENI migration followups (#15702, @christarazi)
* examples: add 'rebel-base-global-shared.yaml' (#15886, @bmcustodio)
* examples: Split host policies for dev. VMs (#15577, @pchaigno)
* Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
* Fix BPF\_JMP\_MAP\_ID on tail call toy example. (#15576, @yiannisy)
* Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
* images/runtime: update ubuntu base image (#15615, @aanm)
* images: squash common operator images in a single Dockerfile (#15849, @aanm)
* Improve release scripts (#15294, @joestringer)
* Improve the docs CRD schema version update script (#15869, @joestringer)
* install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
* ipam: Fix empty interface number in Azure (#15533, @christarazi)
* ipsec: Fix routing CIDR iteration on EKS (#15645, @gandro)
* iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
* iptables: use CILIUM_\* chains for per-endpoint no CT rules (#15411, @jibi)
* k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
* k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
* k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
* k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
* Kata: Mention incompatibility with host-reachable services or strict KPR in documentation (#15589, @qmonnet)
* loader : Log upsert and remove route errors (#15339, @h3llix)
* loader : Log upsert and remove route errors (#15525, @h3llix)
* MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
* Make encryption+chaining limitations clearer (#15598, @joestringer)
* make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
* Makefile: Fix microk8s image target (#15516, @joestringer)
* mtu: Switch to v/netlink for querying netdevs (#15260, @brb)
* Multi-arch enabled strip operations (#15113, @TrevorTaoARM)
* node-neigh: Reduce arping related log msg's level (#15261, @brb)
* node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
* pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
* pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
* pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
* pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
* pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
* policy: improve CNP initial sync (#15492, @jaffcheng)
* Prepare branch for v1.10 release cycle (#15868, @joestringer)
* Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
* release: Automate image digest PR creation (#15818, @joestringer)
* Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
* Remove NEEDS\_RELAX\_VERIFIER (#15610, @rscampos)
* rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
* Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
* Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
* Revert exported NoTrack rule function names. (#15505, @Weil0ng)
* Simplify runtime/builder image update (#15326, @tklauser)
* Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
* source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
* Stub out some functionality on non-Linux platforms (#15355, @joestringer)
* test: Remove nop condition from tests (#15541, @pchaigno)
* test: update add\_vagrant\_box.sh (#15831, @twpayne)
* test: update k8s tested versions (#15528, @aanm)
* test: update k8s to 1.21.0 (#15616, @aanm)
* ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
* Update AWS deps (#15759, @ungureanuvladvictor)
* Update Go to 1.16.2 (#15344, @tklauser)
* Update Go to 1.16.3 (#15566, @tklauser)
* Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
* Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
* Update stable releases (#15805, @joestringer)
* Updates golang:1.16.3 digest (#15790, @Weil0ng)
* Use go embed and remove go-bindata dependency (#15834, @aanm)
* vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
* vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
* vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
* vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
* wireguard: Better error message if kernel support is lacking (#15825, @gandro)
* wireguard: Fix rp\_filter setting (#15542, @brb)
* wireguard: Improve logging (#15807, @brb)
* wireguard: Remove operator and disable KPR encryption (#15565, @brb)
## v1.10.0-rc0
**Note**: The summary of changes below reflect the diff between the last stable
release (v1.9.5) and tag v1.10.0-rc0.
Summary of Changes
------------------
**Major Changes:**
* Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
* Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
* Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using `enable-ipv6-masquerade` agent option. (#14124, @fristonio)
* Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
* Update to Kubernetes 1.20 (#14248, @aanm)
**Minor Changes:**
* Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
* Add labels to scrape cilium agent and operator metrics (#14747, @lyveng)
* Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
* Add new `cilium_bpf_map_pressure` metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano)
* Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
* Add support for agent events to Hubble API (#14168, @tklauser)
* Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
* Adds capability to filter events based on IP version. (#14556, @nyrahul)
* Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
* api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
* arp: Add retries to arping (#14601, @brb)
* bpf: add LB ipip health check datapath (#14610, @borkmann)
* bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
* bpf: bpf host routing for tunneling (#15148, @borkmann)
* CI 3.0: A New Hope (#15144, @tgraf)
* cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
* cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
* cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
* Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
* Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
* daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
* doc: Document minimal version of AWS CNI in chaining mode (#15304, @tgraf)
* docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
* Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
* Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
* Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
* Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
* Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
* Honor `allocateLoadBalancerNodePorts` in Kubernetes LoadBalancer service spec. (#14465, @fristonio)
* Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
* hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
* Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
* hubble: Add node name filter (#13938, @twpayne)
* hubble: Add support for Cilium debug events (#14602, @gandro)
* hubble: allow filtering by agent event subtypes (#14305, @tklauser)
* hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
* hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
* hubble: Support for debug capture events (#14432, @gandro)
* Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
* kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
* maglev: Parallelize calculation of permutations (#14597, @brb)
* Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
* Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
* node-neigh: add metric to count arping requests (#14816, @jaffcheng)
* operator: added --pprof flag/endpoint (#14903, @mvisonneau)
* Remove deprecated v1.10 options (#14291, @jibi)
* Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
* Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
* set cilium agent only run on linux nodes (#14495, @answer1991)
* Tag ENIs at creation time (#14500, @ungureanuvladvictor)
* TCP flags based filter for hubble. (#13826, @nyrahul)
* tools: Add initial dev-doctor (#13772, @twpayne)
**Bugfixes:**
* Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
* Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
* daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
* Fix backwards compatibility of status API (#15143, @tgraf)
* Fix bug where `enable-endpoint-routes` change required all pods to restart to take effect (#15228, @pchaigno)
* Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
* Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
* hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
* ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
* ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
* node: Fix CIDR comparison when updating routes (#15263, @brb)
* operator: release leader lease lock on operator exit (#14554, @fristonio)
* service: Restore Maglev table when M changes (#14469, @brb)
* Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
**CI Changes:**
* .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
* .github/workflows: remove `go version` commands from golangci-lint job (#15238, @tklauser)
* .travis: fail Travis if race detection builds also fail (#15199, @aanm)
* Add 'nilness' to golangci (#14066, @joestringer)
* Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
* bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
* ci: add CodeQL analysis (#14514, @twpayne)
* ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
* ci: Bump vagrant boxes (#14982, @gandro)
* ci: change manifest path for perf test (#14183, @nebril)
* ci: Check gke cluster state before selecting it (#14130, @nebril)
* ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
* ci: fix nightly image (#14170, @nebril)
* ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @Skymirrh)
* ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
* ci: remove params from upstream k8s job (#15168, @nebril)
* ci: skip gke clusters with ongoing operations (#14348, @nebril)
* ci: use host images in master job (#14311, @nebril)
* ci: use host kubectl in k8s-all (#14302, @nebril)
* ci: Use images built on host in k8s-all job (#14292, @nebril)
* ci: use images from quay.io (#14937, @nebril)
* ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @Skymirrh)
* ci: wait for quay images and boot vms in parallel (#15300, @nebril)
* contrib: Add integration testing shell helpers (#14404, @joestringer)
* docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
* DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
* e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
* Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
* jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
* jenkinsfiles: remove unused environment variables (#15125, @aanm)
* labelsfilter: Fix test for default filters (#15024, @pchaigno)
* Remove docker-compose leftovers (#14426, @tklauser)
* Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
* Revert "refactor: Remove `time.After` from any Loops" (#14371, @tklauser)
* run bpf_ct_tests as part of CI (#14916, @kkourt)
* test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
* test/helpers: remove unused functions and consts (#15241, @tklauser)
* test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
* test: add iptables masquerading without random-fully test (#14476, @jibi)
* test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
* test: Always select nodes by label (#14867, @pchaigno)
* test: change accees of go dir in test vm (#15265, @nebril)
* test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
* test: disable fqdn connectivity test during restart (#13930, @tklauser)
* test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
* test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
* test: Extend coverage for host policies enforcement (#14822, @pchaigno)
* test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
* test: Fix local tests (#15130, @pchaigno)
* test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
* test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
* test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
* test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
* test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
* test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
* test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
* test: Reduce build durations (#14223, @pchaigno)
* test: Reenable debug mode for monitor tests (#15127, @pchaigno)
* test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
* test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
* test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
* test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
* test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
* test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
* test: Unquarantine the random-fully test (#15205, @pchaigno)
* test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
* test: Use stable tags instead of :latest (#14093, @pchaigno)
* vagrant: bump all box versions (#14274, @jibi)
* vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
**Misc Changes:**
* .dockerignore: add *.box files (#14045, @kkourt)
* .github: add GitHub actions to build images (#14917, @aanm)
* .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
* .github: change step order (#14703, @aanm)
* .github: checkout right SHA for base images (#15069, @aanm)
* .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
* .github: Fix cilium project management for v1.9 (#14065, @joestringer)
* .github: fix correct sha for images build (#15065, @aanm)
* .github: publish tags from master branch in official repositories (#15078, @aanm)
* .github: set :latest tag for merges into master branch (#14933, @aanm)
* .github: set different workflow IDs (#14932, @aanm)
* .github: update GH actions on stable branches (#15208, @aanm)
* .github: update release process (#14672, @aanm)
* .github: update v1.9 cilium-actions project number (#14683, @aanm)
* .github: use quay.io images in smoke tests (#15005, @aanm)
* .gitignore: add .vscode/ directory (#14664, @ti-mo)
* Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
* Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
* Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
* Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
* add GH action to push hot fix images into -dev repositories (#15061, @aanm)
* Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
* Add multi-arch support to all images (#15023, @aanm)
* Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
* Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
* add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
* add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
* add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
* Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
* Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
* Added flag `proxy.prometheus.enabled` to helm chart for disabling service (#14688, @yuriydzobak)
* Added Tailor Brands to users (#14605, @liorrozen)
* Address #13894 nits (#13985, @jibi)
* Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
* Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
* Agent: Include Cilium version in output of 'cilium status --verbose' (#14492, @romanspb80)
* agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
* alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
* all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
* all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
* allocator: Quieten local key allocation logging (#14804, @joestringer)
* api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
* arp: Set deadline for each retry (#14651, @brb)
* bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
* bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
* bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
* bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
* bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
* bpf: fixes for host routing (#15240, @borkmann)
* bpf: lb pmtu discovery support (#14980, @borkmann)
* bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
* bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
* Bugtool: add taskset (#14568, @youssefazrak)
* bugtool: Record attached BPF programs (#14895, @aditighag)
* Bugtool: route tables are dynamically dumped (#14488, @youssefazrak)
* build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
* build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
* build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
* build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
* build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
* build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
* build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
* build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
* build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
* build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
* build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
* build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
* build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
* build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
* build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
* build: Minor fixes to .gitignore and docs (#13626, @twpayne)
* Bump alpine base image to 3.13.0 (#14718, @tklauser)
* Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
* Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
* Bump gops to 0.3.16 (#15213, @tklauser)
* Bump vendored dependencies (#14572, @tklauser)
* Bump vendored dependencies (part 2) (#14606, @tklauser)
* Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
* Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
* ci/dependabot: fix labels (#14773, @rolinh)
* ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
* ci: Add initial dependabot configuration (#14694, @twpayne)
* ci: build race-detection images in GH actions (#14979, @nebril)
* CI: fix cron values for CodeQL analysis (#14575, @twpayne)
* ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
* ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
* cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
* cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
* cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
* cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
* cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
* cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
* cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
* cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
* Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
* cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
* cli: Add LB IP to cilium status (#14445, @brb)
* cli: Rename kpr Protocols status field (#14977, @brb)
* cocinelle: update to python3 (#14522, @kaworu)
* CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
* CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
* CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
* CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
* CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
* CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
* CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
* CODEOWNERS: Update required reviews (#15009, @pchaigno)
* Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
* Consistently use structured logging for errors (#13814, @tklauser)
* Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
* contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
* contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
* Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
* crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
* daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
* daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
* daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
* daemon_main: fix comments error (#14194, @lrouter)
* datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
* datapath/linux: Fix clang version regex check (#14742, @christarazi)
* datapath/loader: fix privileged test build (#14335, @tklauser)
* datapath: always generate BTF debug information (#14166, @jibi)
* datapath: migrate off j-keck/arping (#13112, @vladdy)
* datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
* datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
* dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
* dependabot: Fix labels (#14717, @pchaigno)
* dependabot: ignore ginkgo updates (#14821, @tklauser)
* dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
* dependabot: limit number of open PRs to 1 (#14837, @tklauser)
* dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
* dev-doctor: Add Helm check (#14001, @twpayne)
* dev-doctor: Add more checks (#14229, @twpayne)
* distinguish between FIN and RST on datapath (#14097, @kkourt)
* doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
* Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
* doc: Update AUTHORS file (#14719, @kaworu)
* docker: bump cilium-iproute2 image (#14258, @jibi)
* Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
* docker: Pre-pull images correctly (#14759, @jrajahalme)
* Dockerfile image build process follow-ups (#15110, @aanm)
* Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
* docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
* docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
* docs: Add az login command to AKS getting started guide (#13926, @twpayne)
* docs: Add info about Envoy smoke test (#14359, @jrajahalme)
* docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
* docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
* docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
* docs: clarify janitor duties (#14127, @jibi)
* docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
* docs: Document update-cmdref make target usage (#14925, @nebril)
* docs: Expand triage description (#14235, @joestringer)
* docs: Fix commands to build dev. docker images (#15231, @pchaigno)
* docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
* docs: Fix hint for updating cmdref (#13795, @brb)
* docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
* docs: fix llvm git repo and clang folder (#14812, @fnzv)
* docs: Improve DNS port documentation (#14144, @joestringer)
* docs: Recommend use of backport scripts (#14011, @pchaigno)
* docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
* docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
* docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
* docs: update dependency table to add links and download command (#15055, @kaitoii11)
* docs: Update our community docs page (#14968, @pchaigno)
* docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
* docs: Updates steps when using submit-backport (#14799, @pchaigno)
* Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
* Documentation: Update list of Jenkins jobs (#14592, @twpayne)
* Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
* endpoint: Enhance policy map sync (#14370, @jrajahalme)
* endpoint: Fix typo in CT clean logic (#14137, @joestringer)
* endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
* envoy: Update proxylib interface (#14560, @jrajahalme)
* envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
* Export and use agent event sub-types for Hubble (#14415, @tklauser)
* Extend endpoint related interfaces (#14743, @aditighag)
* Fix a bug that was causing Azure IPAM with multiple pod subnets to not work. (#15182, @AnishShah)
* Fix a typo in terminology documentation (#14181, @didier-durand)
* fix broken link on readme (#13981, @kaitoii11)
* Fix cilium typos (#14180, @twpayne)
* Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
* Fix integer conversions (#14561, @twpayne)
* Fix rawgit links in README.rst (#14092, @vignesh-codes)
* Fix typo in grpc example (#14874, @teyuchang)
* Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
* fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
* fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
* gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
* health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
* Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
* hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
* hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
* hubble: allow to filter agent events (#14242, @tklauser)
* hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
* hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
* hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
* images, vendor: update gops to 0.3.17 (#15299, @tklauser)
* images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
* images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
* images: re-write README.md (#15108, @aanm)
* Improve pod deletion resiliency (#14898, @joestringer)
* install/kubernetes: remove quick-install from master branches (#15250, @aanm)
* install/kubernetes: set k8s min version manually (#14778, @aanm)
* install: Remove 1.9 RC workaround (#13863, @joestringer)
* ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
* jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
* k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
* k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
* k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
* k8s: Update libraries to v1.20.1 (#14481, @christarazi)
* kvstore: Fix event watcher serialization (#14101, @joestringer)
* lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
* maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
* make: Use buildkit for docker targets by default (#14714, @jrajahalme)
* make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
* Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
* Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
* Makefile: Remove microk8s prepull script (#14148, @joestringer)
* Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
* Makefile: Simplify to run faster (#13939, @jrajahalme)
* Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
* Minor backporting script tweaks (#14027, @twpayne)
* Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
* Modified path of fuzzer (#14813, @AdamKorcz)
* monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
* monitor: Display human-readable identities (#13601, @pchaigno)
* node/manager: remove unused *Manager methods (#15106, @tklauser)
* Observer to ignore unhandled debug event types (#14589, @anfernee)
* operator: use logfields in cilium operator logging (#14548, @fristonio)
* Optimize Label.String() (#15089, @michi-covalent)
* pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
* pkg/k8s: add DeepEqual code generation for Service (#15077, @aanm)
* pkg/k8s: remove unused code (#14376, @aanm)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
* pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
* pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
* pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
* policy: Fix typo in issue link (#15251, @joestringer)
* policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
* Prepare for 1.10.0 development (#13617, @aanm)
* README: update security releases (#13977, @aanm)
* Refactor endpoint management (#14745, @joestringer)
* refactor: Remove `time.After` from any Loops (#14265, @nathanjsweet)
* refactor: Remove `time.After` from any Loops (#14380, @nathanjsweet)
* Remove references for old k8s version from tests (#14471, @fristonio)
* remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
* Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
* Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
* Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
* Revert accidentally introduced port change (#14328, @brandshaide)
* stale-bot: stale PRs with assignees (#14364, @aanm)
* Switch metrics map to cilium/ebpf (#14582, @jibi)
* test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
* test/Makefile: fix registryCredentials typo (#14051, @kkourt)
* test/packet: Default download to /tmp (#14055, @pchaigno)
* test: Allow test VMs have swap (#14506, @jrajahalme)
* test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
* test: get cilium pods inside background closure (#14057, @kkourt)
* test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
* test: update k8s to 1.20 (#14315, @aanm)
* treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
* Update authors file (#13866, @joestringer)
* Update CNI network plugin to 0.9.0 (#14620, @tklauser)
* Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
* Update Go to 1.15.5 (#14013, @tklauser)
* Update Go to 1.15.6 (#14298, @tklauser)
* Update Go to 1.15.7 (#14662, @tklauser)
* Update Go to 1.15.8 (#14983, @tklauser)
* Update Go to 1.16 (#15068, @tklauser)
* Update Go to 1.16.1 (#15314, @tklauser)
* Update release process (#15034, @aanm)
* Update stable releases (#13804, @christarazi)
* Update stable releases (#14282, @aanm)
* Update stable releases (#14671, @aanm)
* Update stable releases (#14706, @aanm)
* Update stable releases (#14763, @joestringer)
* Update stable releases (#14896, @christarazi)
* Update stable releases (#15018, @joestringer)
* Update stable releases (#15122, @joestringer)
* Update stable releases (#15313, @joestringer)
* Update USERS.md (#14831, @imathu)
* Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
* Use time.Truncate of more recent Go (#14493, @youssefazrak)
* Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
* Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
* Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
* Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
* vagrant: bump all box versions (#14632, @tklauser)
* vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
* vagrant: bump box versions (#14736, @tklauser)
* vagrant: bump box versions (#15090, @tklauser)
* vagrant: bump box versions, again (#15129, @tklauser)
* vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
* vagrant: make restart.sh executable (#13625, @twpayne)
* Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
* Various documentation / comments fixes and improvements (#14439, @kaworu)
* vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
* vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
* vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
* vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
* vendor: Update sigs.k8s.io/structured-merge-diff/v4 (#14752, @christarazi)
* vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
Computing file changes ...
