Revision e6f34c3c98fe2e247fde581746e552d8cb18c33c authored by André Martins on 16 June 2021, 00:26:40 UTC, committed by André Martins on 16 June 2021, 00:40:51 UTC
Signed-off-by: André Martins <andre@cilium.io>
1 parent 435c9aa
CHANGELOG.md
# Changelog
## v1.10.1
Summary of Changes
------------------
**Minor Changes:**
* Add Helm option to disable registering CRD from Cilium Operator (Backport PR #16521, Upstream PR #15655, @Fedosin)
* docs: Revert host firewall to beta for kube-proxy setups (Backport PR #16269, Upstream PR #16149, @pchaigno)
* helm: add back 'wellKnownIdentities' (Backport PR #16269, Upstream PR #16142, @bmcustodio)
* helm: Disable the bandwidth manager by default (Backport PR #16438, Upstream PR #16380, @pchaigno)
* HTTP response access logs no longer contain the request headers, except for 'x-request-id',
which is still included for request/response correlation purposes. (Backport PR #16384, Upstream PR #16211, @jrajahalme)
* Remove deprecated --update-ec2-apdater-limit-via-api option (Backport PR #16438, Upstream PR #16374, @twpayne)
* Support non-default Azure clouds (Backport PR #16384, Upstream PR #16043, @ungureanuvladvictor)
* Update k8s libraries to 1.21.1 (#16250, @nathanjsweet)
**Bugfixes:**
* alibabacloud: fix race (Backport PR #16269, Upstream PR #16175, @l1b0k)
* daemon: Ignore cilium_* interfaces when deriving NodePort device (Backport PR #16269, Upstream PR #16104, @eyanulis)
* datapath: Use TUNNEL_MODE as indicator for tunnel mode (Backport PR #16521, Upstream PR #16328, @anfernee)
* endpoint: trigger k8s sync controller on identity update (Backport PR #16438, Upstream PR #16381, @jibi)
* Fix "unable to update ipcache map entry on pod add" harmless log warnings (Backport PR #16384, Upstream PR #16286, @aanm)
* Fix bug where Cilium allocates a new router (`cilium_host`) IP upon node reboot, breaking connectivity especially with IPsec (Backport PR #16438, Upstream PR #16307, @christarazi)
* Fix bug where users were unable to use node-selectors in the BGP configuration when using BGP support (Backport PR #16521, Upstream PR #16341, @christarazi)
* Fix bug with Helm chart where a user could not enable BGP and set Operator resources. (Backport PR #16438, Upstream PR #16273, @rkage)
* Fixed bug causing policy realization being skipped in some scenarios with endpoint identity churn. (Backport PR #16384, Upstream PR #16271, @jrajahalme)
* helm: Fix patch failure when updating `hubble-generate-certs` (Backport PR #16438, Upstream PR #16373, @gandro)
* Ignore K8s namespace events that have the same labels (Backport PR #16384, Upstream PR #16268, @aanm)
* install: Allow setting enable-health-check-nodeport to 'false' (Backport PR #16438, Upstream PR #16323, @dctrwatson)
* ipam: fix crd mode (Backport PR #16521, Upstream PR #16493, @joamaki)
* loader: Revert incorrect initialization of endpoints in chaining mode (Backport PR #16384, Upstream PR #16227, @pchaigno)
* Remove previous PERM ARP entries installed by Cilium when kube-proxy-replacement and IPSec are disabled. (Backport PR #16521, Upstream PR #16359, @aanm)
**CI Changes:**
* .github: Cancel outdated GitHub workflows (Backport PR #16269, Upstream PR #16199, @pchaigno)
* .github: Don't persist credentials in repository (Backport PR #16384, Upstream PR #16052, @pchaigno)
* .github: Don't wait for GKE cluster cleanup (Backport PR #16384, Upstream PR #16319, @pchaigno)
* .github: Fix concurrency group comment triggers (Backport PR #16384, Upstream PR #16310, @pchaigno)
* .github: Fix error triggered by large comments (Backport PR #16438, Upstream PR #16360, @pchaigno)
* .github: Fix scheduled end-to-end tests (Backport PR #16384, Upstream PR #16274, @pchaigno)
* .github: Skip unnecessary workflow steps (Backport PR #16269, Upstream PR #16157, @pchaigno)
* .github: Speed up cluster cleanups in end-to-end tests (Backport PR #16269, Upstream PR #16207, @pchaigno)
* ci: add slack notification to GH actions (Backport PR #16269, Upstream PR #16218, @nebril)
* ci: restart portmap service on CI nodes (Backport PR #16521, Upstream PR #16506, @nebril)
* examples, connectivity-check, test: Use even-numbered nodePort (Backport PR #16269, Upstream PR #16158, @christarazi)
* helm,test: Add standalone L4LB XDP tests in a form of Github Action (Backport PR #16521, Upstream PR #16338, @brb)
* Improve ipsec compile-time testing in CI (Backport PR #16269, Upstream PR #15872, @joestringer)
* Make LRP restore test logic robust and optimized (Backport PR #16384, Upstream PR #16194, @aditighag)
* node: fix arpping test (Backport PR #16521, Upstream PR #16432, @jibi)
* test/helpers: Fix incorrect count of endpoints (Backport PR #16521, Upstream PR #16437, @pchaigno)
* test: Instrument LB IP via BGP test with debug-events (Backport PR #16521, Upstream PR #16445, @christarazi)
* test: Quarantine fragment tracking test on GKE (Backport PR #16269, Upstream PR #16051, @pchaigno)
* test: Specify node-selectors in BGP configmap (Backport PR #16521, Upstream PR #16412, @christarazi)
* test: Use new test-verifier image in K8sVerifier (Backport PR #16438, Upstream PR #16231, @pchaigno)
**Misc Changes:**
* .github: add 'stable' tag as part of the v1.10 releases (#16404, @aanm)
* Add missing bpftool map dumps (Backport PR #16384, Upstream PR #16055, @h3llix)
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16369, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16436, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16415, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 (#16352, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 (#16331, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16533, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 (#16468, @dependabot[bot])
* Clarify one-time setup for backporting (Backport PR #16438, Upstream PR #16016, @christarazi)
* contrib: simplify check-docker-images script (Backport PR #16384, Upstream PR #16176, @aanm)
* daemon: Improve logging of device auto-detection (Backport PR #16438, Upstream PR #16118, @brb)
* docs: add a "Copy Commands" button for shell-session snippets (Backport PR #16521, Upstream PR #16408, @qmonnet)
* docs: add a reference of helm values (Backport PR #16521, Upstream PR #16238, @bmcustodio)
* docs: Clarify coordination for backporting process (Backport PR #16269, Upstream PR #15989, @christarazi)
* docs: Clarify LRP loop related note (Backport PR #16438, Upstream PR #16342, @aditighag)
* docs: document the policy for backporting documentation changes (Backport PR #16384, Upstream PR #16137, @qmonnet)
* docs: ENIs should not be managed by the OS (Backport PR #16521, Upstream PR #16186, @gandro)
* docs: fix a typo in Helm installation documentation (Backport PR #16384, Upstream PR #16325, @netflash)
* docs: Fix build failure (Backport PR #16521, Upstream PR #16454, @pchaigno)
* docs: Fix Helm instructions for BGP (Backport PR #16384, Upstream PR #16263, @xentobias)
* docs: fix some dead links (Backport PR #16384, Upstream PR #16336, @aanm)
* docs: fix warnings for documentation build, use a linter (Backport PR #16521, Upstream PR #16407, @qmonnet)
* docs: Fix WireGuard spelling (Backport PR #16384, Upstream PR #16293, @gandro)
* docs: mark node-to-node IPSec encryption as beta (Backport PR #16521, Upstream PR #16200, @qmonnet)
* docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 (Backport PR #16384, Upstream PR #16288, @aanm)
* docs: Update troubleshooting for 1.10 (Backport PR #16384, Upstream PR #16081, @twpayne)
* docs: use `.. code-block:: shell-session` wherever relevant (Backport PR #16521, Upstream PR #16474, @qmonnet)
* docs: various fixes to documentation, notably Getting Started Guides (Backport PR #16384, Upstream PR #16126, @nbusseneau)
* examples: add an example of a hubble-cli Deployment (Backport PR #16521, Upstream PR #16459, @kaworu)
* Improve author attribution scripts (Backport PR #16269, Upstream PR #15899, @joestringer)
* Makefile, contrib: Add script to create kind cluster (Backport PR #16384, Upstream PR #12527, @christarazi)
* pkg/k8s: add pod IP event change (Backport PR #16438, Upstream PR #16190, @aanm)
* Refactored, renamed and small misc changes in GH workflows (Backport PR #16384, Upstream PR #16312, @aanm)
* Specify scrape interval for Hubble metrics (Backport PR #16269, Upstream PR #16214, @christian-2)
* Update base image to fix potential security vulnerabilities detected by image scanners. (#16527, @aanm)
* Update test/packet instructions for running CI tests on dedicated instances (Backport PR #16438, Upstream PR #16423, @christarazi)
* v1.10: Update Go to 1.16.5 (#16429, @tklauser)
* vendor: Bump go.universe.tf/metallb (Backport PR #16269, Upstream PR #16187, @christarazi)
**Other Changes:**
* install: Update image digests for v1.10.0 (#16243, @aanm)
## v1.10.0
Summary of Changes
------------------
**Major Changes:**
* Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
* Add AlibabaCloud Operator (#15160, @l1b0k)
* Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
* Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
* Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using `enable-ipv6-masquerade` agent option. (#14124, @fristonio)
* Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
* doc: Add Code of Conduct (#15305, @tgraf)
* doc: Deprecate managed etcd mode (#15464, @tgraf)
* doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
* Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
* Integrate Wireguard for pod2pod encryption (#15383, @brb)
* Rework Quick & Helm Installation Guide (#15695, @tgraf)
* Update to Kubernetes 1.20 (#14248, @aanm)
**Minor Changes:**
* Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
* Add helm option enableEgressGateway (#15777, @anfernee)
* Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
* Add new `cilium_bpf_map_pressure` metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano)
* Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
* Add support for agent events to Hubble API (#14168, @tklauser)
* Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
* Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
* Adds capability to filter events based on IP version. (#14556, @nyrahul)
* Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
* agent: Silence some useless warnings (#15450, @tgraf)
* api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
* arp: Add retries to arping (#14601, @brb)
* AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (Backport PR #16210, Upstream PR #15828, @Smana)
* bpf: add LB ipip health check datapath (#14610, @borkmann)
* bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
* bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
* bpf: bpf host routing for tunneling (#15148, @borkmann)
* Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
* CI 3.0: A New Hope (#15144, @tgraf)
* ci: Increase time limit from 15m to 30m (#15371, @tgraf)
* cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
* cilium: Add encryption mode to `cilium status` (#15833, @gandro)
* cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
* cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
* Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
* Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
* custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
* daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
* daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
* daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
* daemon: Remove --help flags grouping (#15564, @brb)
* datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
* datapath: Create MAC_BY_IFINDEX_MACRO in Go (#15267, @brb)
* doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
* doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
* doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
* doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
* docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
* docs: Move host firewall out of beta (#15761, @pchaigno)
* docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
* Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
* Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
* Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
* examples: remove obsolete Mesos example (#15377, @tklauser)
* Expose more syslog options (#15545, @jaffcheng)
* Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
* helm: add ca.crt to tls secrets (#15443, @kaworu)
* helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
* helm: move IPSec options under encryption.ipsec (#15846, @jibi)
* helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
* Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
* Honor `allocateLoadBalancerNodePorts` in Kubernetes LoadBalancer service spec. (#14465, @fristonio)
* Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
* Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
* hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
* hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
* Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
* hubble: Add node name filter (#13938, @twpayne)
* hubble: Add recorder API (#15680, @gandro)
* hubble: add separate API to get agent and debug events (#15715, @tklauser)
* hubble: Add support for Cilium debug events (#14602, @gandro)
* hubble: allow filtering by agent event subtypes (#14305, @tklauser)
* hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
* hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
* hubble: Support for debug capture events (#14432, @gandro)
* images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
* Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
* install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
* iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
* iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
* Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
* k8s: add support for ipFamilies to services (#14914, @fristonio)
* kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
* maglev: Parallelize calculation of permutations (#14597, @brb)
* Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
* Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
* Minor README updates (#15372, @tgraf)
* node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
* operator: added --pprof flag/endpoint (#14903, @mvisonneau)
* Remove deprecated v1.10 options (#14291, @jibi)
* Remove legacy flannel integration (#15786, @tgraf)
* Remove some obsolete documentation (#15370, @tgraf)
* Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
* Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
* set cilium agent only run on linux nodes (#14495, @answer1991)
* Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
* Support host policies with per-endpoint routes (#15217, @pchaigno)
* Tag ENIs at creation time (#14500, @ungureanuvladvictor)
* TCP flags based filter for hubble. (#13826, @nyrahul)
* Updates & clarifications to Governance Rules (#15325, @tgraf)
* wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
* wireguard: Add support for managed K8s (#15674, @gandro)
* wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
**Bugfixes:**
* Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
* Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
* cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
* daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
* daemon/ipam: correct total IP count in `cilium status` output (#15707, @ArthurChiao)
* daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (Backport PR #16210, Upstream PR #16085, @jibi)
* Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
* Drop a `@` in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
* encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
* eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
* Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (Backport PR #16150, Upstream PR #16084, @pchaigno)
* Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
* Fix backwards compatibility of status API (#15143, @tgraf)
* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
* Fix ICMP Echo ID placement in CT maps (#15275, @brb)
* Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
* Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
* hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
* ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
* ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
* kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
* lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
* nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
* operator: release leader lease lock on operator exit (#14554, @fristonio)
* service: Restore Maglev table when M changes (#14469, @brb)
* Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
* ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
* Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
* Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
* wireguard: Fix traffic counters in `cilium debuginfo` (Backport PR #16210, Upstream PR #16178, @gandro)
**CI Changes:**
* .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
* .github/workflows: remove `go version` commands from golangci-lint job (#15238, @tklauser)
* .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
* .travis: Disable email notifications on master failures (#15373, @pchaigno)
* .travis: fail Travis if race detection builds also fail (#15199, @aanm)
* <!-- Enter the release note text here if needed or remove this section! --> (#15659, @Ankurk99)
* <!-- Enter the release note text here if needed or remove this section! --> (#15796, @michi-covalent)
* Add 'nilness' to golangci (#14066, @joestringer)
* Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
* Add cyclonus network policy tester. (#14889, @mattfenwick)
* bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
* ci-gke: Add -v=6 for `kubectl get pods` (Backport PR #16049, Upstream PR #15994, @michi-covalent)
* ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
* ci: add AKS workflow (#15466, @nbusseneau)
* ci: add CodeQL analysis (#14514, @twpayne)
* ci: add EKS workflow (#15465, @nbusseneau)
* ci: add gke workflow (#15416, @nebril)
* ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
* ci: Bump vagrant boxes (#14982, @gandro)
* ci: change manifest path for perf test (#14183, @nebril)
* ci: Check gke cluster state before selecting it (#14130, @nebril)
* ci: Fix `BGP router does not have route for LB IP` (#15771, @gandro)
* ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
* ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
* ci: fix nightly image (#14170, @nebril)
* ci: Fix nightly image (#15605, @nebril)
* ci: fix nightly image sha (#15708, @nebril)
* ci: fix/update GKE workflow (#15482, @nbusseneau)
* ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @nbusseneau)
* ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
* ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
* ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
* ci: skip gke clusters with ongoing operations (#14348, @nebril)
* ci: use host images in master job (#14311, @nebril)
* ci: use host kubectl in k8s-all (#14302, @nebril)
* ci: Use images built on host in k8s-all job (#14292, @nebril)
* ci: use images from quay.io (#14937, @nebril)
* ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @nbusseneau)
* ci: wait for quay images and boot vms in parallel (#15300, @nebril)
* cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
* cilium: test encryption workflows for GKE (#15595, @jrfastab)
* cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
* connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
* contrib: Add integration testing shell helpers (#14404, @joestringer)
* daemon: Do not attach bpf_host to L3 dev if skb_change_head is unavailable (#15343, @brb)
* docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
* DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
* e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
* Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
* jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
* jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
* jenkinsfiles: remove unused environment variables (#15125, @aanm)
* labelsfilter: Fix test for default filters (#15024, @pchaigno)
* node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
* Remove docker-compose leftovers (#14426, @tklauser)
* Remove unused jenkinsfiles (#15578, @aanm)
* Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
* Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
* Revert "refactor: Remove `time.After` from any Loops" (#14371, @tklauser)
* run bpf_ct_tests as part of CI (#14916, @kkourt)
* test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
* test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
* test/helpers: remove unused functions and consts (#15241, @tklauser)
* test/helpers: Support non-standard nodes names with NO_CILIUM_ON_NODE (#15384, @christarazi)
* test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
* test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
* test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
* test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
* test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
* test: add iptables masquerading without random-fully test (#14476, @jibi)
* test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
* test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
* test: Always select nodes by label (#14867, @pchaigno)
* test: change accees of go dir in test vm (#15265, @nebril)
* test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
* test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
* test: disable fqdn connectivity test during restart (#13930, @tklauser)
* test: Disable host firewall in incompatible tests (#14545, @pchaigno)
* test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
* test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
* test: Extend coverage for host policies enforcement (#14822, @pchaigno)
* test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
* test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
* test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
* test: Fix incorrect uninstall in K8sBandwidth (Backport PR #16210, Upstream PR #16053, @pchaigno)
* test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
* test: Fix local tests (#15130, @pchaigno)
* test: Fix the search for VIPs in `cilium service list` (Backport PR #16049, Upstream PR #15968, @pchaigno)
* test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
* test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
* test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
* test: Misc improvements (Backport PR #16210, Upstream PR #16064, @pchaigno)
* test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
* test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
* test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
* test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
* test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
* test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
* test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
* test: Reduce build durations (#14223, @pchaigno)
* test: Reenable debug mode for monitor tests (#15127, @pchaigno)
* test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
* test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
* test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
* test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
* test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
* test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
* test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
* test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
* test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
* test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
* test: Unquarantine the random-fully test (#15205, @pchaigno)
* test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
* test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
* test: Use node labels when testing host policies (#15714, @pchaigno)
* test: Use stable tags instead of :latest (#14093, @pchaigno)
* test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
* vagrant: bump all box versions (#14274, @jibi)
* vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
* vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
* wireguard: Add pod2pod encryption tests (#15573, @brb)
* wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
* workflows: add encryption for AKS testing (#15657, @nbusseneau)
* workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
* workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
* workflows: fix GKE `if` condition (#15788, @nbusseneau)
* workflows: fix schedule triggers (#15813, @nbusseneau)
* workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
* workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
* workflows: small fixes to Kind (#15658, @nbusseneau)
**Misc Changes:**
* .dockerignore: add *.box files (#14045, @kkourt)
* .github: add GitHub actions to build images (#14917, @aanm)
* .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
* .github: change dependabot interval to daily (#15651, @aanm)
* .github: change step order (#14703, @aanm)
* .github: checkout right SHA for base images (#15069, @aanm)
* .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
* .github: Fix cilium project management for v1.9 (#14065, @joestringer)
* .github: fix correct sha for images build (#15065, @aanm)
* .github: fix markdown typo (#15792, @aanm)
* .github: publish tags from master branch in official repositories (#15078, @aanm)
* .github: set :latest tag for merges into master branch (#14933, @aanm)
* .github: set different workflow IDs (#14932, @aanm)
* .github: update GH actions on stable branches (#15208, @aanm)
* .github: update release process (#14672, @aanm)
* .github: update steps for the release process of a RC (#15319, @aanm)
* .github: update v1.9 cilium-actions project number (#14683, @aanm)
* .github: use quay.io images in smoke tests (#15005, @aanm)
* .gitignore: add .vscode/ directory (#14664, @ti-mo)
* <!-- Enter the release note text here if needed or remove this section! --> (#15113, @TrevorTaoARM)
* Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
* Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
* Add custom resource for egress nat policies (#14998, @MasterZ40)
* Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
* add doc for AlibabaCloud ENI (#15512, @l1b0k)
* Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
* Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
* add GH action to push hot fix images into -dev repositories (#15061, @aanm)
* Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
* Add multi-arch support to all images (#15023, @aanm)
* add support for EndpointSlice V1 (#15524, @aanm)
* Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
* Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
* Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
* Add warning log when host enable SELinux (#15414, @konghui)
* add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
* add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
* add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
* Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
* Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
* Added flag `proxy.prometheus.enabled` to helm chart for disabling service (#14688, @yuriydzobak)
* Added Tailor Brands to users (#14605, @liorrozen)
* Address #13894 nits (#13985, @jibi)
* Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
* Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
* Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
* agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
* alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
* all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
* all: don't use the deprecated io/ioutil package (#15242, @tklauser)
* all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
* allocator: Quieten local key allocation logging (#14804, @joestringer)
* api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
* arp: Set deadline for each retry (#14651, @brb)
* Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
* AUTHORS: Update email (#15885, @jrajahalme)
* aws/eni/limits: lazily populate limits map (#15523, @tklauser)
* azure: Fix API rate limit test (#15493, @twpayne)
* bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
* bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
* bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
* bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
* bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
* bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
* bpf: fixes for host routing (#15240, @borkmann)
* bpf: initial pcap exporter for lb (#15376, @borkmann)
* bpf: lb pmtu discovery support (#14980, @borkmann)
* bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
* bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
* bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
* bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
* bpf_host: declare variables in the beginning of the block (#15560, @johngv2)
* build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
* build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
* build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
* build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16109, @dependabot[bot])
* build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
* build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
* build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
* build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
* build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
* build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
* build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
* build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
* build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
* build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
* build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
* build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
* build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
* build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
* build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
* build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
* build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
* build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
* build: Minor fixes to .gitignore and docs (#13626, @twpayne)
* Bump alpine base image to 3.13.0 (#14718, @tklauser)
* Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
* Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
* Bump gops to 0.3.16 (#15213, @tklauser)
* Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
* Bump vendored dependencies (#14572, @tklauser)
* Bump vendored dependencies (part 2) (#14606, @tklauser)
* bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
* Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
* Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
* ci/dependabot: fix labels (#14773, @rolinh)
* ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
* ci: Add initial dependabot configuration (#14694, @twpayne)
* ci: build race-detection images in GH actions (#14979, @nebril)
* CI: fix cron values for CodeQL analysis (#14575, @twpayne)
* ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
* ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
* cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
* cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
* cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
* cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
* cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
* cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
* cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
* cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
* cilium: pcap recorder agent management (#15633, @borkmann)
* cilium: pcap recorder follow ups (#15782, @borkmann)
* cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
* Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
* cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
* cli: Add LB IP to cilium status (#14445, @brb)
* cli: Rename kpr Protocols status field (#14977, @brb)
* cocinelle: update to python3 (#14522, @kaworu)
* CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
* CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
* CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
* CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
* CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
* CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
* CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
* CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
* CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
* CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
* CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
* CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
* CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
* CODEOWNERS: Update required reviews (#15009, @pchaigno)
* Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
* Consistently use structured logging for errors (#13814, @tklauser)
* Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
* contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
* contrib: add dual-stack support for dev VMs (#15827, @aanm)
* contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
* contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
* contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
* contrib: Make upstream commit check more generic (Backport PR #16210, Upstream PR #16160, @joestringer)
* Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
* crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
* custom calls: cleanup and improve a few elements (#15480, @qmonnet)
* daemon: Add hidden --cflags debug command (#15549, @joestringer)
* daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
* daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
* daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
* daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
* daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
* daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
* daemon: Remove unnecessary log (#15776, @christarazi)
* daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
* daemon_main: fix comments error (#14194, @lrouter)
* datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
* datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
* datapath/linux/probes: remove unused (*ProbeManager).GetMisc (#15647, @tklauser)
* datapath/linux: Fix clang version regex check (#14742, @christarazi)
* datapath/loader: fix privileged test build (#14335, @tklauser)
* datapath: always generate BTF debug information (#14166, @jibi)
* datapath: migrate off j-keck/arping (#13112, @vladdy)
* datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
* datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
* datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
* dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
* dependabot: Fix labels (#14717, @pchaigno)
* dependabot: ignore ginkgo updates (#14821, @tklauser)
* dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
* dependabot: limit number of open PRs to 1 (#14837, @tklauser)
* dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
* dev-doctor: Add Helm check (#14001, @twpayne)
* dev-doctor: Add more checks (#14229, @twpayne)
* distinguish between FIN and RST on datapath (#14097, @kkourt)
* doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
* doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
* doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
* Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
* doc: Update AUTHORS file (#14719, @kaworu)
* doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
* docker: bump cilium-iproute2 image (#14258, @jibi)
* Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
* docker: Pre-pull images correctly (#14759, @jrajahalme)
* Dockerfile image build process follow-ups (#15110, @aanm)
* Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
* Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
* docs, gsg: add link to plumbers talk on service lb mechanisms (Backport PR #16210, Upstream PR #16171, @borkmann)
* docs, gsg: minor edits to kpr guide and note on hybrid use (Backport PR #16210, Upstream PR #16169, @borkmann)
* docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
* docs/encryption: Document limitations and workarounds (#15876, @gandro)
* docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
* docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
* docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
* docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
* docs: Add az login command to AKS getting started guide (#13926, @twpayne)
* docs: Add BGP GSG (#15519, @christarazi)
* docs: Add caveat for OpenShift (Backport PR #16210, Upstream PR #16161, @christarazi)
* docs: add cilium-operator technical overview documentation (#14530, @fristonio)
* docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
* docs: Add info about Envoy smoke test (#14359, @jrajahalme)
* docs: add information about ConfigMap updates (Backport PR #16210, Upstream PR #16141, @aanm)
* docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
* docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
* docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
* docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
* docs: Add Wireguard Getting Started Guide (#15787, @gandro)
* docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
* docs: clarify janitor duties (#14127, @jibi)
* docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
* docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
* docs: document final steps for nomination of new committers (#15378, @qmonnet)
* docs: Document update-cmdref make target usage (#14925, @nebril)
* docs: example cluster-wide health endpoint (#15348, @Shikugawa)
* docs: Expand triage description (#14235, @joestringer)
* docs: Fix commands to build dev. docker images (#15231, @pchaigno)
* docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
* docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
* docs: Fix hint for updating cmdref (#13795, @brb)
* docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
* docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
* docs: fix llvm git repo and clang folder (#14812, @fnzv)
* docs: Fix pip installation (#15705, @brb)
* docs: Fix sed in OKD GSG (#15822, @christarazi)
* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
* docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
* docs: Improve DNS port documentation (#14144, @joestringer)
* docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
* docs: Improve wording around Helm values in OKD GSG (Backport PR #16210, Upstream PR #16069, @errordeveloper)
* docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
* docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
* docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
* docs: Recommend use of backport scripts (#14011, @pchaigno)
* docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
* docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
* docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
* docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
* docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
* docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
* docs: Tweak backporting doc (#15369, @twpayne)
* docs: update dependency table to add links and download command (#15055, @kaitoii11)
* docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
* docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
* docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
* docs: Updates steps when using submit-backport (#14799, @pchaigno)
* docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
* Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
* Documentation: Update list of Jenkins jobs (#14592, @twpayne)
* Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
* ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
* Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
* Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
* endpoint: Add named type for endpoint state (#15614, @ammmk)
* endpoint: Enhance policy map sync (#14370, @jrajahalme)
* endpoint: Fix typo in CT clean logic (#14137, @joestringer)
* endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
* ENI migration followups (#15702, @christarazi)
* envoy: Update proxylib interface (#14560, @jrajahalme)
* envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
* examples: Split host policies for dev. VMs (#15577, @pchaigno)
* Export and use agent event sub-types for Hubble (#14415, @tklauser)
* Extend endpoint related interfaces (#14743, @aditighag)
* Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
* Fix a typo in terminology documentation (#14181, @didier-durand)
* fix broken link on readme (#13981, @kaitoii11)
* Fix cilium typos (#14180, @twpayne)
* Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
* Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
* Fix integer conversions (#14561, @twpayne)
* Fix logging for expired FQDN IPs (Backport PR #16210, Upstream PR #16030, @youssefazrak)
* Fix rawgit links in README.rst (#14092, @vignesh-codes)
* Fix typo in grpc example (#14874, @teyuchang)
* Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
* Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
* fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
* fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
* gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
* health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
* Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
* Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
* hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
* hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
* hubble: allow to filter agent events (#14242, @tklauser)
* hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
* hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
* hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
* images, vendor: update gops to 0.3.17 (#15299, @tklauser)
* images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
* images/runtime: update ubuntu base image (#15615, @aanm)
* images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
* images: re-write README.md (#15108, @aanm)
* images: squash common operator images in a single Dockerfile (#15849, @aanm)
* Implement egress gateway datapath (#14830, @anfernee)
* Improve pod deletion resiliency (#14898, @joestringer)
* install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
* install/kubernetes: remove quick-install from master branches (#15250, @aanm)
* install/kubernetes: set k8s min version manually (#14778, @aanm)
* install: Remove 1.9 RC workaround (#13863, @joestringer)
* iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
* iptables: use CILIUM_* chains for per-endpoint no CT rules (#15411, @jibi)
* ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
* issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
* jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
* k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
* k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
* k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
* k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
* k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
* k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
* k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
* k8s: Update libraries to v1.20.1 (#14481, @christarazi)
* kvstore: Fix event watcher serialization (#14101, @joestringer)
* lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
* loader : Log upsert and remove route errors (#15339, @h3llix)
* loader : Log upsert and remove route errors (#15525, @h3llix)
* maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
* MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
* make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
* make: Use buildkit for docker targets by default (#14714, @jrajahalme)
* make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
* Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
* Makefile: Fix microk8s image target (#15516, @joestringer)
* Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
* Makefile: Remove microk8s prepull script (#14148, @joestringer)
* Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
* Makefile: Simplify to run faster (#13939, @jrajahalme)
* Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
* Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
* Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
* Modified path of fuzzer (#14813, @AdamKorcz)
* monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
* monitor: Display human-readable identities (#13601, @pchaigno)
* node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
* node/manager: remove unused *Manager methods (#15106, @tklauser)
* node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
* Observer to ignore unhandled debug event types (#14589, @anfernee)
* operator: use logfields in cilium operator logging (#14548, @fristonio)
* Optimize Label.String() (#15089, @michi-covalent)
* pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
* pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
* pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
* pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
* pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (Backport PR #16210, Upstream PR #16153, @aanm)
* pkg/k8s: remove unused code (#14376, @aanm)
* pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
* pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
* pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
* pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
* pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
* policy: Fix typo in issue link (#15251, @joestringer)
* policy: improve CNP initial sync (#15492, @jaffcheng)
* policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
* Prepare branch for v1.10 release cycle (#15868, @joestringer)
* Prepare for 1.10.0 development (#13617, @aanm)
* Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
* Prepare v1.10.0-rc0 (#15318, @aanm)
* README: update security releases (#13977, @aanm)
* Refactor endpoint management (#14745, @joestringer)
* refactor: Remove `time.After` from any Loops (#14265, @nathanjsweet)
* refactor: Remove `time.After` from any Loops (#14380, @nathanjsweet)
* release: Automate image digest PR creation (#15818, @joestringer)
* Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
* Remove NEEDS_RELAX_VERIFIER (#15610, @rscampos)
* Remove references for old k8s version from tests (#14471, @fristonio)
* remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
* rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
* Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
* Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
* Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
* Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
* Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
* Revert accidentally introduced port change (#14328, @brandshaide)
* Revert exported NoTrack rule function names. (#15505, @Weil0ng)
* Simplify runtime/builder image update (#15326, @tklauser)
* Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
* source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
* stale-bot: stale PRs with assignees (#14364, @aanm)
* Stub out some functionality on non-Linux platforms (#15355, @joestringer)
* Switch metrics map to cilium/ebpf (#14582, @jibi)
* test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
* test/Makefile: fix registryCredentials typo (#14051, @kkourt)
* test/packet: Default download to /tmp (#14055, @pchaigno)
* test: Allow test VMs have swap (#14506, @jrajahalme)
* test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
* test: get cilium pods inside background closure (#14057, @kkourt)
* test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
* test: Remove nop condition from tests (#15541, @pchaigno)
* test: update add_vagrant_box.sh (#15831, @twpayne)
* test: update k8s tested versions (#15528, @aanm)
* test: update k8s to 1.20 (#14315, @aanm)
* test: update k8s to 1.21.0 (#15616, @aanm)
* tools: Add initial dev-doctor (#13772, @twpayne)
* treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
* ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
* Update authors file (#13866, @joestringer)
* Update AWS deps (#15759, @ungureanuvladvictor)
* Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
* Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
* Update CNI network plugin to 0.9.0 (#14620, @tklauser)
* Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
* Update Go to 1.15.5 (#14013, @tklauser)
* Update Go to 1.15.6 (#14298, @tklauser)
* Update Go to 1.15.7 (#14662, @tklauser)
* Update Go to 1.15.8 (#14983, @tklauser)
* Update Go to 1.16 (#15068, @tklauser)
* Update Go to 1.16.1 (#15314, @tklauser)
* Update Go to 1.16.2 (#15344, @tklauser)
* Update Go to 1.16.3 (#15566, @tklauser)
* Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
* Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
* Update release process (#15034, @aanm)
* Update stable releases (#13804, @christarazi)
* Update stable releases (#14282, @aanm)
* Update stable releases (#14671, @aanm)
* Update stable releases (#14706, @aanm)
* Update stable releases (#14763, @joestringer)
* Update stable releases (#14896, @christarazi)
* Update stable releases (#15018, @joestringer)
* Update stable releases (#15122, @joestringer)
* Update stable releases (#15313, @joestringer)
* Update stable releases (#15805, @joestringer)
* Update USERS.md (#14831, @imathu)
* Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
* Updates golang:1.16.3 digest (#15790, @Weil0ng)
* Use go embed and remove go-bindata dependency (#15834, @aanm)
* Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
* Use time.Truncate of more recent Go (#14493, @youssefazrak)
* Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
* Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
* v1.10: Update Go to 1.16.4 (#16061, @tklauser)
* Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
* Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
* vagrant: bump all box versions (#14632, @tklauser)
* vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
* vagrant: bump box versions (#14736, @tklauser)
* vagrant: bump box versions (#15090, @tklauser)
* vagrant: bump box versions, again (#15129, @tklauser)
* vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
* vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
* vagrant: make restart.sh executable (#13625, @twpayne)
* Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
* Various documentation / comments fixes and improvements (#14439, @kaworu)
* vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
* vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
* vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
* vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
* vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
* vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
* vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
* vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
* vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
* vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
* wireguard: Better error message if kernel support is lacking (#15825, @gandro)
* wireguard: Fix rp_filter setting (#15542, @brb)
* wireguard: Improve logging (#15807, @brb)
* wireguard: Remove operator and disable KPR encryption (#15565, @brb)
**Other Changes:**
* install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
* install: Update image digests for v1.10.0-rc2 (#16174, @aanm)
* Prepare for release v1.10.0-rc1 (#15897, @joestringer)
* Prepare for release v1.10.0-rc2 (#16167, @aanm)
* workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
## v1.10.0-rc2
Summary of Changes
------------------
**Major Changes:**
* doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
**Minor Changes:**
* daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
* doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
* doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
* doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
* Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
* images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
* install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
* node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
* Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
* wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
**Bugfixes:**
* cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
* Drop a `@` in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
* eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
* Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (Backport PR #16150, Upstream PR #16084, @pchaigno)
* Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
* ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
**CI Changes:**
* ci-gke: Add -v=6 for `kubectl get pods` (Backport PR #16049, Upstream PR #15994, @michi-covalent)
* ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
* connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
* jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
* node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
* test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
* test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
* test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
* test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
* test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
* test: Fix the search for VIPs in `cilium service list` (Backport PR #16049, Upstream PR #15968, @pchaigno)
* test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
* test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
* wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
**Misc Changes:**
* Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
* bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
* CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
* contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
* contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
* doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
* doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
* Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
* docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
* docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
* docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
* docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
* docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
* docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
* docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
* docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
* docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
* docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
* docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
* docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
* docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
* docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
* ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
* Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
* Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
* Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
* issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
* Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
* node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
* Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
* Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
* Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
* v1.10: Update Go to 1.16.4 (#16061, @tklauser)
* vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
* vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
**Other Changes:**
* install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
* workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
## v1.10.0-rc1
**Note**: The summary of changes below reflect the diff between the last
release candidate (v1.10.0-rc0) and tag v1.10.0-rc1.
Summary of Changes
------------------
**Major Changes:**
* Add AlibabaCloud Operator (#15160, @l1b0k)
* Add support for k8s 1.21 and set minimal k8s supported version to 1.16 (#15502, @aanm)
* Add a Getting Started Guide for Rancher Kubernetes Engine (#15323, @seanmwinn)
* doc: Add Code of Conduct (#15305, @tgraf)
* doc: Deprecate managed etcd mode (#15464, @tgraf)
* Implement external IP (LoadBalancer) allocation & announcement via BGP for services (#15340, @christarazi)
* Integrate Wireguard for pod2pod encryption (#15383, @brb)
* Rework Quick & Helm Installation Guide (#15695, @tgraf)
* Implement egress gateway datapath (#14830, @anfernee)
**Minor Changes:**
* Add helm option enableEgressGateway (#15777, @anfernee)
* Added a new daemon option `--tofqdns-idle-connection-grace-period`. (#15458, @jrajahalme)
* Adds an option to specify Cilium router device IP (#14800, @Weil0ng)
* agent: Silence some useless warnings (#15450, @tgraf)
* bpf: Adds support for drop IPv4 fragmented packet (#15733, @navarrothiago)
* Change default ENI property FirstInterfaceIndex to 0 and improve IPAM logic in ENI & Azure modes (#14801, @christarazi)
* ci: Increase time limit from 15m to 30m (#15371, @tgraf)
* cilium: Add encryption mode to `cilium status` (#15833, @gandro)
* custom calls: add new metrics to count skipped tail calls to custom programs (#15475, @qmonnet)
* daemon: add new option --allocator-list-timeout (#15538, @ArthurChiao)
* daemon: Remove --help flags grouping (#15564, @brb)
* datapath: add tail call hooks for custom metrics, bytecounter example (#13191, @qmonnet)
* datapath: Create MAC\_BY\_IFINDEX\_MACRO in Go (#15267, @brb)
* doc: Use Cilium CLI for Cluster Mesh documentation (#15359, @tgraf)
* docs: Move host firewall out of beta (#15761, @pchaigno)
* docs: Update OpenShift (OKD) GSG to use OLM operator (#15608, @errordeveloper)
* examples: remove obsolete Mesos example (#15377, @tklauser)
* Expose more syslog options (#15545, @jaffcheng)
* Hash IPSec keys in the bugtool. Unit test are also added. (#15550, @h3llix)
* helm: add ca.crt to tls secrets (#15443, @kaworu)
* helm: consolidate IPSec and Wireguard encryption options (#15809, @jibi)
* helm: move IPSec options under encryption.ipsec (#15846, @jibi)
* helm: Replaced object-based extraArgs with array-based (#15233, @D1abloRUS)
* hubble: Add a flag to write Hubble events to a rotated file (#15557, @michi-covalent)
* hubble: Add recorder API (#15680, @gandro)
* hubble: add separate API to get agent and debug events (#15715, @tklauser)
* Improve scalability by reducing number of CEP watch events (#15230, @Weil0ng)
* iptables: add support for NOTRACK rules for pod to pod traffic (#15264, @jibi)
* iptables: relax no CT rules to match all pod traffic (#15467, @jibi)
* k8s: add support for ipFamilies to services (#14914, @fristonio)
* Minor README updates (#15372, @tgraf)
* node-neigh: Query once netlink for neigh discovery device (#15431, @brb)
* PolicyImportErrorsTotal metric is now incremented also from k8s policy watchers (#15820, @jrajahalme)
* Remove legacy flannel integration (#15786, @tgraf)
* Remove some obsolete documentation (#15370, @tgraf)
* Support host policies with per-endpoint routes (#15217, @pchaigno)
* Updates & clarifications to Governance Rules (#15325, @tgraf)
* VM support has been updated to make use of the new `cilium` cluster CLI tool. (#15320, @jrajahalme)
* wireguard: Add pod2pod encryption support in tunnel mode and fix IPv6 for direct routing mode (#15716, @brb)
* wireguard: Add support for managed K8s (#15674, @gandro)
**Bugfixes:**
* `toFQDNs` rules now allow underscores in match patterns and names (#15801, @jrajahalme)
* bpf: Fix defines in policy.h (#15763, @pchaigno)
* bpf: fix map\_array\_get\_16 backend retrieval (#15808, @borkmann)
* cilium: encryption, auto-discover interface and subnet (#15357, @jrfastab)
* ctmap: do not call InitMapInfo() in init() (#15590, @kkourt)
* daemon/ipam: correct total IP count in `cilium status` output (#15707, @ArthurChiao)
* Decrease verbosity of error "Unable to update ipcache map entry on pod add" for certain conditions (#15757, @aanm)
* encryption: Limit encryption keys to 2 bits (#15335, @tgraf)
* eni: Assign primary IP to support multiple VPC CIDRs (#15453, @gandro)
* Envoy is updated with security fixes for Envoy CVEs released on 4/15/2021 (#15725, @jrajahalme)
* Fix a bug that was causing Azure IPAM to not work when ApplicationSecurityGroups were attached to IPConfigurations of a NIC. (#15194, @AnishShah)
* Fix an issue where packets are dropped when a pod connects to itself via a service clusterIP. (#15321, @aditighag)
* Fix bug where any non-leader Operator in HA mode would crash updating CRDs (#15544, @christarazi)
* Fix channel panic from ipcache kvstore reconnect (#15668, @jomenxiao)
* Fix ethtool issues (#15622, @tklauser)
* Fix ICMP Echo ID placement in CT maps (#15275, @brb)
* Fix the initialization of host endpoint labels (#15780, @pchaigno)
* Fixing pods restart on nodes running containerd on COS (#14708, @fallard84)
* Handle events with pod IP and node IP addresses being modified (#15803, @aanm)
* ipam: Fix ENI routing for secondary CIDRs (#15303, @gandro)
* ipcache: Expose correct source in Cilium API (#15706, @gandro)
* kvstore/etcd: fix etcd rate limit (QPS) not working (#15742, @ArthurChiao)
* kvstore: Fix aborted delayed delete warning (#15409, @tgraf)
* lib/proxy.h: set variable as maybe unused to avoid compilation error (#15607, @johngv2)
* nat: Do not increment delete error metric on nat entry GC (#15587, @joamaki)
* pkg/k8s: reset k8s event lag metric on pod add (#15804, @aanm)
* Treat empty NetworkPolicyPort as "all ports on TCP" during network policy parsing (#14720, @mattfenwick)
* Wait for endpoints to be stopped on agent shutdown (#15447, @jaffcheng)
**CI Changes:**
* .github: fix kind GH action for encryption e2e tests (#15731, @aanm)
* .travis: Disable email notifications on master failures (#15373, @pchaigno)
* Github action to verify that every commit in a PR compiles on its own (#15659, @Ankurk99)
* Run cloud provider conformance tests every 6 hours (#15796, @michi-covalent)
* Add cyclonus network policy tester. (#14889, @mattfenwick)
* bpf: Extend datapath options for K8sVerifier test (#15540, @pchaigno)
* ci: add AKS workflow (#15466, @nbusseneau)
* ci: add EKS workflow (#15465, @nbusseneau)
* ci: add gke workflow (#15416, @nebril)
* ci: Fix `BGP router does not have route for LB IP` (#15771, @gandro)
* ci: Fix local files chmod in test vagrantfile (#15397, @nebril)
* ci: Fix nightly image (#15605, @nebril)
* ci: fix nightly image sha (#15708, @nebril)
* ci: fix/update GKE workflow (#15482, @nbusseneau)
* ci: push cilium-test image to quay.io, use it in nightly (#15569, @nebril)
* ci: retry gke cluster scale up, don't clear cluster at start (#14819, @nebril)
* cilium: Add workflows for GKE in tunnel mode, with and without encryption (#15678, @jrfastab)
* cilium: test encryption workflows for GKE (#15595, @jrfastab)
* cilium: Use build-and-push-with-qemu for builder (#15679, @jrfastab)
* daemon: Do not attach bpf\_host to L3 dev if skb\_change\_head is unavailable (#15343, @brb)
* Remove unused jenkinsfiles (#15578, @aanm)
* Revert "ci: push cilium-test image to quay.io, use it in nightly" (#15574, @pchaigno)
* test/gke: refactor test-clusters operations (#15863, @nbusseneau)
* test/gke: use correct cluster IPv4 CIDR (#15346, @jibi)
* test/helpers: Support non-standard nodes names with NO\_CILIUM\_ON\_NODE (#15384, @christarazi)
* test/provision: adjust Dockerfiles considered for image download (#15389, @tklauser)
* test: add e2e tests for fromEntities: cluster and all (#15398, @chez-shanpu)
* test: Allow hostfw tests to run on GKE (#15479, @pchaigno)
* test: CI pipeline with kube-proxy running alongside our replacement (#14543, @pchaigno)
* test: Disable host firewall in incompatible tests (#14545, @pchaigno)
* test: ensure kubectl version is available for test run (#15748, @nebril)
* test: Format test-only's kernel\_version to avoid mistakes (#15743, @pchaigno)
* test: K8sUpdates: Remove deprecated code (#15349, @pchaigno)
* test: make RunsOnNetNextKernel() helper work with KERNEL="net-next" (#15395, @qmonnet)
* test: Make Wireguard tcpdump filter more fine grained (#15507, @brb)
* test: quarantine failing NodePort tests on 1.14 (#15415, @nebril)
* test: Skip K8sPolicy on GKE and 4.19 (#15762, @pchaigno)
* test: Uncouple KPR from presence of kube-proxy (#15543, @pchaigno)
* test: Unquarantine K8sVerifier on k8s-all (#15154, @pchaigno)
* test: update k8s testing versions to 1.18.18, 1.19.10 and 1.20.6 (#15755, @aanm)
* test: Use node labels when testing host policies (#15714, @pchaigno)
* test: Wait for cilium monitor to match expected output (#15848, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15772, @pchaigno)
* vagrant: Bump all Vagrant box versions (#15812, @pchaigno)
* vagrant: Upgrade Vagrant box versions (#15356, @aditighag)
* wireguard: Add pod2pod encryption tests (#15573, @brb)
* workflows: add encryption for AKS testing (#15657, @nbusseneau)
* workflows: add multicluster CI 3.0 workflow (#15710, @nbusseneau)
* workflows: fix EKS encryption testing not using aws operator image (#15745, @nbusseneau)
* workflows: fix GKE `if` condition (#15788, @nbusseneau)
* workflows: fix schedule triggers (#15813, @nbusseneau)
* workflows: improvements to CI 3.0 workflows (#15694, @nbusseneau)
* workflows: increase multicluster timeout to 30 minutes (#15811, @nbusseneau)
* workflows: small fixes to Kind (#15658, @nbusseneau)
**Misc Changes:**
* .github: change dependabot interval to daily (#15651, @aanm)
* .github: fix markdown typo (#15792, @aanm)
* .github: remove unnecessary docker hub credentials (#15841, @aanm)
* .github: update steps for the release process of a RC (#15319, @aanm)
* Add Cluster Health metrics (#15380, @h3llix)
* Add custom resource for egress nat policies (#14998, @MasterZ40)
* add doc for AlibabaCloud ENI (#15512, @l1b0k)
* add support for EndpointSlice V1 (#15524, @aanm)
* Add support to enable EndpointStatus in Helm chart (#15844, @carloscastrojumo)
* Add warning log when host enable SELinux (#15414, @konghui)
* Adds ipv6 support for local-router-ip (#15662, @Weil0ng)
* all: don't use the deprecated io/ioutil package (#15242, @tklauser)
* Assign specific, unique ports for pprof (Agent, Operator, Hubble Relay) (#15441, @christarazi)
* AUTHORS: Update email (#15885, @jrajahalme)
* aws/eni/limits: lazily populate limits map (#15523, @tklauser)
* azure: Fix API rate limit test (#15493, @twpayne)
* bpf: Comment BPF hook points, some tail calls, and local delivery code (#15204, @pchaigno)
* bpf: initial pcap exporter for lb (#15376, @borkmann)
* bpf: lift port restriction and allow l4 dnat in ipip (#15396, @borkmann)
* bpf: option for selecting DSR L4 DNAT method for IPIP (#15880, @borkmann)
* bpf\_host: declare variables in the beginning of the block (#15560, @johngv2)
* bugtool: dump iptables-legacy and iptables-nft (#15363, @h3llix)
* build(deps): bump actions/cache from v2.1.4 to v2.1.5 (#15666, @dependabot[bot])
* build(deps): bump actions/download-artifact from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9 (#15582, @dependabot[bot])
* build(deps): bump docker/build-push-action from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0 (#15586, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2 (#15600, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2a4b53665e15ce7d7049afb11ff1f70ff1610609 to 1.2.0 (#15862, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 25f0500ff22e406f7191a2a8ba8cda16901ca018 to 1.1.0 (#15854, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2 (#15585, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.2 to 1.0.3 (#15358, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.6 to 0.5.7 (#15412, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#15552, @dependabot[bot])
* build(deps): bump jinja2 from 2.10.1 to 2.11.3 in /Documentation (#15407, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 (#15571, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 (#15684, @dependabot[bot])
* build(deps): bump pygments from 2.4.2 to 2.7.4 in /Documentation (#15495, @dependabot[bot])
* build(deps): bump pyyaml from 5.3.1 to 5.4 in /Documentation (#15473, @dependabot[bot])
* build(deps): bump Sibz/github-status-action from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5 (#15584, @dependabot[bot])
* build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 (#15599, @dependabot[bot])
* Bump hubble UI version and pinned digest for envoy proxy (#15889, @aanm)
* cilium/cmd: don't write copyright header in generated shell completion (#15845, @tklauser)
* cilium: Fix EKS encryption panic and reinit path and add workflows test (#15669, @jrfastab)
* cilium: pcap recorder agent management (#15633, @borkmann)
* cilium: pcap recorder follow ups (#15782, @borkmann)
* CODEOWNERS: Add @cilium/wireguard for pkg/wireguard (#15618, @brb)
* CODEOWNERS: Add pkg/bgp (#15663, @christarazi)
* CODEOWNERS: Create cilium/alibabacloud team (#15665, @l1b0k)
* CODEOWNERS: Create cilium/loader team (#15451, @pchaigno)
* CODEOWNERS: Remove @cilium/monitor team (#15368, @pchaigno)
* contrib: add dual-stack support for dev VMs (#15827, @aanm)
* contrib: Clean output of submit-backport script (#15838, @pchaigno)
* contrib: fix remote overriding (#15328, @kaworu)
* custom calls: cleanup and improve a few elements (#15480, @qmonnet)
* daemon/cmd: fix Cilium version status output (#15649, @aanm)
* daemon: Add hidden --cflags debug command (#15549, @joestringer)
* daemon: Create RuntimePath if not equal to StateDir (#15711, @oblazek)
* daemon: Fatal on XDP + egress gateway (#15511, @pchaigno)
* daemon: Fix the init of the endpoints' datapath config (#15785, @pchaigno)
* daemon: log errors from bpf.TestDummyProg() (#15460, @rgo3)
* daemon: Make Hubble Recorder API opt-out (#15781, @gandro)
* daemon: Remove unnecessary log (#15776, @christarazi)
* datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen (#15646, @tklauser)
* datapath/linux/probes: remove unused (\*ProbeManager).GetMisc (#15647, @tklauser)
* datapath: Move XDP handling from bpf/init.sh to agent (#15497, @brb)
* doc: Add Egress Gateway Getting Started Guide (#15661, @MasterZ40)
* docs/contrib: Clarify the options for the Vagrant setup (#15835, @pchaigno)
* docs/encryption: Document limitations and workarounds (#15876, @gandro)
* docs/policy: Clarify table for deny policy scenarios (#15836, @pchaigno)
* docs: Add BGP GSG (#15519, @christarazi)
* docs: add cilium-operator technical overview documentation (#14530, @fristonio)
* docs: Add section for filtering by subnet tags in ENI mode (#15635, @christarazi)
* docs: Add Wireguard Getting Started Guide (#15787, @gandro)
* docs: De-duplicate k8s integration section (#15454, @joestringer)
* docs: document final steps for nomination of new committers (#15378, @qmonnet)
* docs: example cluster-wide health endpoint (#15348, @Shikugawa)
* docs: Fix commands for IPSec key rotations (#15481, @pchaigno)
* docs: Fix invalid link for BPF Newsletter (#15746, @LiangZhou-CTY)
* docs: Fix pip installation (#15705, @brb)
* docs: Fix sed in OKD GSG (#15822, @christarazi)
* docs: fix the Cilium namespace in GKE (#15463, @kaworu)
* docs: Hide "Edit on GitHub" buttons (#15579, @joestringer)
* docs: Make cross-cluster policy more explicit (#15778, @jrajahalme)
* docs: Mention KUBEPROXY ENV var in e2e section (#15535, @brb)
* docs: Tweak backporting doc (#15369, @twpayne)
* docs: Update DNS proxy timeout value (#15581, @aditighag)
* docs: update k3s installation instructions (#15503, @aanm)
* docs: use dedicated Sphinx role to reference GitHub issue (#15814, @qmonnet)
* Documentation: fix key rotation command in encryption guide (#15365, @mauriciovasquezbernal)
* Egress NAT control plane watchers and egress policy manager (#15134, @MasterZ40)
* endpoint: Add named type for endpoint state (#15614, @ammmk)
* ENI migration followups (#15702, @christarazi)
* examples: add 'rebel-base-global-shared.yaml' (#15886, @bmcustodio)
* examples: Split host policies for dev. VMs (#15577, @pchaigno)
* Extend the monitor notification interface with endpoint id getter (#15391, @aditighag)
* Fix BPF\_JMP\_MAP\_ID on tail call toy example. (#15576, @yiannisy)
* Helm: adjust comment in values.yaml to accomodate Vim users (#15334, @qmonnet)
* images/runtime: update ubuntu base image (#15615, @aanm)
* images: squash common operator images in a single Dockerfile (#15849, @aanm)
* Improve release scripts (#15294, @joestringer)
* Improve the docs CRD schema version update script (#15869, @joestringer)
* install/kubernetes: fix upgrade envoy to 1.18.2 for Hubble UI (#15879, @kaworu)
* ipam: Fix empty interface number in Azure (#15533, @christarazi)
* ipsec: Fix routing CIDR iteration on EKS (#15645, @gandro)
* iptables: GetProxyPort(): run iptables quietly (#15779, @kkourt)
* iptables: use CILIUM_\* chains for per-endpoint no CT rules (#15411, @jibi)
* k8s/api: More consistent field name capitalisation (#15521, @errordeveloper)
* k8s: Consolidate check for EndpointSlice support (#15561, @christarazi)
* k8s: Fix Wireguard with IPAM != ClusterPool (#15784, @gandro)
* k8s: Introduce subscriber package to simplify & consolidate K8s watcher callbacks / event handling (#15295, @christarazi)
* Kata: Mention incompatibility with host-reachable services or strict KPR in documentation (#15589, @qmonnet)
* loader : Log upsert and remove route errors (#15339, @h3llix)
* loader : Log upsert and remove route errors (#15525, @h3llix)
* MAINTAINERS: update MAINTAINERS.md (#15603, @kaworu)
* Make encryption+chaining limitations clearer (#15598, @joestringer)
* make: add help target to root Makefile for printing info about availble targets (#15087, @fristonio)
* Makefile: Fix microk8s image target (#15516, @joestringer)
* mtu: Switch to v/netlink for querying netdevs (#15260, @brb)
* Multi-arch enabled strip operations (#15113, @TrevorTaoARM)
* node-neigh: Reduce arping related log msg's level (#15261, @brb)
* node: Remove SetInternalIPv4From Method (#15873, @nathanjsweet)
* pkg/client/client.go: Set EnabledProtocols when pointer is nil (#15688, @johngv2)
* pkg/datapath: ignore certain error types on route delete (#15730, @aanm)
* pkg/k8s: fix concurrent access in CNP field (#15518, @aanm)
* pkg/k8s: set the right api group for EndpointSlice (#15631, @aanm)
* pkg/sysctl: Sanitize parameter names (#14533, @twpayne)
* policy: improve CNP initial sync (#15492, @jaffcheng)
* Prepare branch for v1.10 release cycle (#15868, @joestringer)
* Prepare helm charts for v1.10.0-rc0 (#15322, @aanm)
* release: Automate image digest PR creation (#15818, @joestringer)
* Remove duplicated ruleLabels in DerivedFromRules (#15280, @aanm)
* Remove NEEDS\_RELAX\_VERIFIER (#15610, @rscampos)
* rename ciliumNodeInformer to ciliumEndpointsInformer according to the context (#15806, @sstoner)
* Revert "encryption: Limit encryption keys to 2 bits" (#15487, @brb)
* Revert "loader : Log upsert and remove route errors" (#15517, @nbusseneau)
* Revert exported NoTrack rule function names. (#15505, @Weil0ng)
* Simplify runtime/builder image update (#15326, @tklauser)
* Small updates to image build doc to make it a bit clearer (#15816, @Weil0ng)
* source: Reorder AllowSource switch Statement and Comment Nits (#15696, @nathanjsweet)
* Stub out some functionality on non-Linux platforms (#15355, @joestringer)
* test: Remove nop condition from tests (#15541, @pchaigno)
* test: update add\_vagrant\_box.sh (#15831, @twpayne)
* test: update k8s tested versions (#15528, @aanm)
* test: update k8s to 1.21.0 (#15616, @aanm)
* ui deployment: upgrade envoy to 1.18.2, fix config (#15847, @geakstr)
* Update AWS deps (#15759, @ungureanuvladvictor)
* Update Go to 1.16.2 (#15344, @tklauser)
* Update Go to 1.16.3 (#15566, @tklauser)
* Update gops to v0.3.18 and build it statically linked (#15853, @tklauser)
* Update kube-router YAML to a newer release in the guide (#15639, @weirdwiz)
* Update stable releases (#15805, @joestringer)
* Updates golang:1.16.3 digest (#15790, @Weil0ng)
* Use go embed and remove go-bindata dependency (#15834, @aanm)
* vagrant: Follow cilium-agent options on development VM to Helm defaults (#15367, @Shikugawa)
* vendor: Bump to latest vishvananda/netlink (#15461, @joestringer)
* vendor: Update sigs.k8s.io/structured-merge-diff to v4.1.0 (#15488, @christarazi)
* vendor: Upgrade github.com/cilium/ebpf to v0.5.0 (#15386, @aditighag)
* wireguard: Better error message if kernel support is lacking (#15825, @gandro)
* wireguard: Fix rp\_filter setting (#15542, @brb)
* wireguard: Improve logging (#15807, @brb)
* wireguard: Remove operator and disable KPR encryption (#15565, @brb)
## v1.10.0-rc0
**Note**: The summary of changes below reflect the diff between the last stable
release (v1.9.5) and tag v1.10.0-rc0.
Summary of Changes
------------------
**Major Changes:**
* Add --datapath-mode=lb which allows cilium-agent to run as a standalone loadbalancer (#13670, @brb)
* Add NodePort BPF support to L2-less devices (wireguard, tun, etc) (#14858, @brb)
* Add the ability to masquerade IPv6 traffic when using iptables masquerading mode. This behavior can be enabled/disabled by using `enable-ipv6-masquerade` agent option. (#14124, @fristonio)
* Cilium now builds and installs on ARM64 machines. (#14207, @jrajahalme)
* Update to Kubernetes 1.20 (#14248, @aanm)
**Minor Changes:**
* Add digest flags to specify docker images digests in helm charts (#15185, @aanm)
* Add labels to scrape cilium agent and operator metrics (#14747, @lyveng)
* Add metrics for identity garbage collection in cilium-operator (#14254, @ArthurChiao)
* Add new `cilium_bpf_map_pressure` metric measuring the fill-up ratio of selected BPF maps. (#14131, @jcaamano)
* Add startupProbe for Cilium-agent for faster readiness in Kubernetes >= 1.20 (#14518, @youssefazrak)
* Add support for agent events to Hubble API (#14168, @tklauser)
* Added --bpf-lb-bypass-fib-lookup flag, which toggles the BPF nodeport reverse NAT FIB lookup optimization (#14978, @skuffe)
* Adds capability to filter events based on IP version. (#14556, @nyrahul)
* Agent: consistent 'containerID' field in the log of the requests EP-delete and EP-create (#14713, @romanspb80)
* api/hubble: add AUDIT policy verdict (#14785, @jaffcheng)
* arp: Add retries to arping (#14601, @brb)
* bpf: add LB ipip health check datapath (#14610, @borkmann)
* bpf: add option for RSS-friendly outer srcIP prefix w/ mixing for DSR (#14276, @borkmann)
* bpf: bpf host routing for tunneling (#15148, @borkmann)
* CI 3.0: A New Hope (#15144, @tgraf)
* cilium/cmd: improve 'bpf metrics list' JSON output (#13731, @jibi)
* cleanup/metrics: Cleanup deprecated metrics (#13659, @sayboras)
* cni-(un)install: don't touch CNI dir if CILIUM_CUSTOM_CNI_CONF is set (#14910, @ti-mo)
* Consolidate kernel options probing and provide brief descriptions for missing parameters, in logs or for "cilium kernel-check". (#12383, @brandshaide)
* Create top level eni block for Helm values and add more options to it (#14470, @ungureanuvladvictor)
* daemon: Allow to specify dev to inherit IP addr for LB devs (#14259, @brb)
* doc: Document minimal version of AWS CNI in chaining mode (#15304, @tgraf)
* docs: document --nodes and --since cilium-sysdump's options (#14058, @jibi)
* Enable bandwidth-manager by default for new deployments (#13535, @qmonnet)
* Envoy proxy is updated to release 1.16.2 (#14680, @jrajahalme)
* Envoy use of original source address in upstream connetions is disabled when datapath is tunneling. (#14594, @jrajahalme)
* Extend cilium-operator binary to be used as command line tool (#14484, @fristonio)
* Helm: Using external serviceAccounts is now possible. (#14731, @youssefazrak)
* Honor `allocateLoadBalancerNodePorts` in Kubernetes LoadBalancer service spec. (#14465, @fristonio)
* Hubble-ui now supports imagePullSecrets being passed in (#15109, @domgoodwin)
* hubble/metrics: Add support for fallback labels, ip addresses and dns names (#14848, @gandro)
* Hubble: add GetNodes rpc endpoint (#13979, @rolinh)
* hubble: Add node name filter (#13938, @twpayne)
* hubble: Add support for Cilium debug events (#14602, @gandro)
* hubble: allow filtering by agent event subtypes (#14305, @tklauser)
* hubble: distinguish AUDIT policy verdict from FORWARDED (#14923, @jaffcheng)
* hubble: Extend IP filter to support CIDR ranges (#14316, @michi-covalent)
* hubble: Support for debug capture events (#14432, @gandro)
* Istio integration is updated to Istio release 1.8.2. (#14704, @jrajahalme)
* kubectl: print additional information for CiliumIdentities (#14496, @elfadel)
* maglev: Parallelize calculation of permutations (#14597, @brb)
* Make Cilium the only CNI configuration available in the host to avoid pods from being managed by other CNIs while performing Cilium upgrades. (#14192, @aanm)
* Merge monitor API types EndpointDeleteNotification and EndpointCreateNotification into type EndpointNotification (#14126, @tklauser)
* node-neigh: add metric to count arping requests (#14816, @jaffcheng)
* operator: added --pprof flag/endpoint (#14903, @mvisonneau)
* Remove deprecated v1.10 options (#14291, @jibi)
* Remove the unused container runtime status and DNS poller names properties from Cilium API. (#14590, @tklauser)
* Report events that are lost in Hubble's ring buffer. (#14307, @rolinh)
* set cilium agent only run on linux nodes (#14495, @answer1991)
* Tag ENIs at creation time (#14500, @ungureanuvladvictor)
* TCP flags based filter for hubble. (#13826, @nyrahul)
* tools: Add initial dev-doctor (#13772, @twpayne)
**Bugfixes:**
* Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator (#14970, @bluestealth)
* Avoid exposing full Cilium API in LB-only mode (#14098, @christarazi)
* daemon, config: regenerate endpoint datapath on agent config change (#13971, @jaffcheng)
* Fix backwards compatibility of status API (#15143, @tgraf)
* Fix bug where `enable-endpoint-routes` change required all pods to restart to take effect (#15228, @pchaigno)
* Fix rounding behavior when specifying a capacity for Hubble's buffer. (#13894, @rolinh)
* Helm: Respect serviceAccounts.*.create value (#14711, @youssefazrak)
* hubble: Fix numeric identity lookup for FQDN identities (#14477, @gandro)
* ipam/aws: fixed a bug causing the operator to hang indefinitely when the ENI limits for an instance type could not be determined (#14905, @mvisonneau)
* ipam/aws: updated EC2 instances ENI limits and added an helper function to make it easier to do so in the future (#14906, @mvisonneau)
* node: Fix CIDR comparison when updating routes (#15263, @brb)
* operator: release leader lease lock on operator exit (#14554, @fristonio)
* service: Restore Maglev table when M changes (#14469, @brb)
* Use new metric names for cilium-operator dashboard (#14507, @ungureanuvladvictor)
**CI Changes:**
* .github, bpf: Update reference to cilium-checkpatch image (#14700, @pchaigno)
* .github/workflows: remove `go version` commands from golangci-lint job (#15238, @tklauser)
* .travis: fail Travis if race detection builds also fail (#15199, @aanm)
* Add 'nilness' to golangci (#14066, @joestringer)
* Add CIIntegrationEKSENI CNI integration for ENI IPAM on EKS (#14423, @ungureanuvladvictor)
* bpf: Fix compilation of bpf_ct_tests (#14862, @pchaigno)
* ci: add CodeQL analysis (#14514, @twpayne)
* ci: Add quarantine capabilities to k8s-all jenkinsfile (#14150, @nebril)
* ci: Bump vagrant boxes (#14982, @gandro)
* ci: change manifest path for perf test (#14183, @nebril)
* ci: Check gke cluster state before selecting it (#14130, @nebril)
* ci: fix checking for pr git sha in jenkinsfiles (#15007, @nebril)
* ci: fix nightly image (#14170, @nebril)
* ci: offload baremetal "K8s all" builds to sub-jobs (#14861, @Skymirrh)
* ci: push cilium-test-dev image to quay, accept tags in the test script (#14169, @nebril)
* ci: remove params from upstream k8s job (#15168, @nebril)
* ci: skip gke clusters with ongoing operations (#14348, @nebril)
* ci: use host images in master job (#14311, @nebril)
* ci: use host kubectl in k8s-all (#14302, @nebril)
* ci: Use images built on host in k8s-all job (#14292, @nebril)
* ci: use images from quay.io (#14937, @nebril)
* ci: use separate Jenkins jobs for daily master tests + CI documentation overhaul (#14997, @Skymirrh)
* ci: wait for quay images and boot vms in parallel (#15300, @nebril)
* contrib: Add integration testing shell helpers (#14404, @joestringer)
* docs: Update trigger phrase for Cilium-PR-Ginkgo-Tests-Kernel-Focus (#14849, @pchaigno)
* DualStack kubernetes based IPv6 testing for Cilium (#14461, @fristonio)
* e2e: Make ginkgo default to verbose mode (#15184, @qmonnet)
* Enable identity + cli + health e2e tests on EKS (#14519, @ungureanuvladvictor)
* jenkinsfile: Increase timeout for k8s-all tests (#14583, @pchaigno)
* jenkinsfiles: remove unused environment variables (#15125, @aanm)
* labelsfilter: Fix test for default filters (#15024, @pchaigno)
* Remove docker-compose leftovers (#14426, @tklauser)
* Removed unnecessarily redundant static analysis in CI to streamline CI running times. (#14400, @nathanjsweet)
* Revert "refactor: Remove `time.After` from any Loops" (#14371, @tklauser)
* run bpf_ct_tests as part of CI (#14916, @kkourt)
* test/helpers: fix GetBPFPacketsCount (#14663, @jibi)
* test/helpers: remove unused functions and consts (#15241, @tklauser)
* test/k8sT/manifests: use image hash with cilium-builder image (#13982, @tklauser)
* test: add iptables masquerading without random-fully test (#14476, @jibi)
* test: add nil check to CiliumReport to prevent segfaults (#14210, @nebril)
* test: Always select nodes by label (#14867, @pchaigno)
* test: change accees of go dir in test vm (#15265, @nebril)
* test: Collect object file artifacts for K8sVerifier (#14129, @pchaigno)
* test: disable fqdn connectivity test during restart (#13930, @tklauser)
* test: Disable K8sVerifier on 4.19 and net-next CI pipelines (#14162, @pchaigno)
* test: Disable unsupported features on 4.9 to reduce warnings (#15001, @pchaigno)
* test: Extend coverage for host policies enforcement (#14822, @pchaigno)
* test: Fix kube-proxy service tests when running with socket-level LB (#14699, @pchaigno)
* test: Fix local tests (#15130, @pchaigno)
* test: Mark GKE CI pipeline as running Linux 4.19 (#14639, @pchaigno)
* test: Move RuntimeCLI to K8sCLI (#14017, @pchaigno)
* test: Quarantine flakes from k8s-all CI pipeline (#14151, @pchaigno)
* test: quarantine flaking datapathconfig tests on 1.17 (#14188, @nebril)
* test: Quarantine K8sUpdates on GKE (#13899, @pchaigno)
* test: quarantine K8sVerifier on k8s-all (#14409, @nebril)
* test: Quarantine test with secondary NodePort device (#15003, @pchaigno)
* test: Reduce build durations (#14223, @pchaigno)
* test: Reenable debug mode for monitor tests (#15127, @pchaigno)
* test: remove leftovers of running own registry in GKE tests (#15124, @tklauser)
* test: Remove spammy "Cilium DaemonSet not ready yet" logs (#14544, @pchaigno)
* test: Respect cilium.holdEnvironment on Cilium status check (#15219, @pchaigno)
* test: Respect cilium.holdEnvironment on DNS check (#14695, @pchaigno)
* test: Un-Quarantine K8sUpdates on GKE (#14464, @gandro)
* test: Unquarantine K8sUpdates under GKE (#13793, @pchaigno)
* test: Unquarantine the random-fully test (#15205, @pchaigno)
* test: Unquarantine tunneling + endpoint routes test (#15152, @pchaigno)
* test: Use stable tags instead of :latest (#14093, @pchaigno)
* vagrant: bump all box versions (#14274, @jibi)
* vagrant: Bump all Vagrant box versions (#14167, @pchaigno)
**Misc Changes:**
* .dockerignore: add *.box files (#14045, @kkourt)
* .github: add GitHub actions to build images (#14917, @aanm)
* .github: Bump project for 1.9.0-rc4 (#13880, @joestringer)
* .github: change step order (#14703, @aanm)
* .github: checkout right SHA for base images (#15069, @aanm)
* .github: Don't mark good-first-issues as stale (#14908, @pchaigno)
* .github: Fix cilium project management for v1.9 (#14065, @joestringer)
* .github: fix correct sha for images build (#15065, @aanm)
* .github: publish tags from master branch in official repositories (#15078, @aanm)
* .github: set :latest tag for merges into master branch (#14933, @aanm)
* .github: set different workflow IDs (#14932, @aanm)
* .github: update GH actions on stable branches (#15208, @aanm)
* .github: update release process (#14672, @aanm)
* .github: update v1.9 cilium-actions project number (#14683, @aanm)
* .github: use quay.io images in smoke tests (#15005, @aanm)
* .gitignore: add .vscode/ directory (#14664, @ti-mo)
* Add ability to mock kernel feature prober and expand BPF map tests (#14876, @christarazi)
* Add dev-docker-operator-image makefile directive (#14387, @ungureanuvladvictor)
* Add ebpf map cilium_egress_v4 for egress gateway (#14712, @anfernee)
* Add fuzzer with OSS-fuzz build script (#14202, @AdamKorcz)
* add GH action to push hot fix images into -dev repositories (#15061, @aanm)
* Add hubble relay docker images + fix k8s version for eks in contrib testing script (#14478, @ungureanuvladvictor)
* Add multi-arch support to all images (#15023, @aanm)
* Add TagSpecifications to ec2:CreateNetworkInterface only when len > 0 (#14571, @ungureanuvladvictor)
* Add tunnel mode config and egress gateway config params (#14723, @MasterZ40)
* add_vagrant_box.sh: Fix download issue and update help message (#14553, @qmonnet)
* add_vagrant_box.sh: Fix incorrect vagrant box updates (#14527, @pchaigno)
* add_vagrant_box.sh: remove downloaded files after installing a VM image (#14686, @qmonnet)
* Added ArangoDB Oasis to USERS list (#14697, @ewoutp)
* Added build comment to oss-fuzz build file (#14856, @AdamKorcz)
* Added flag `proxy.prometheus.enabled` to helm chart for disabling service (#14688, @yuriydzobak)
* Added Tailor Brands to users (#14605, @liorrozen)
* Address #13894 nits (#13985, @jibi)
* Address shellcheck warnings in cni-(un)install.sh. (#14467, @ti-mo)
* Adds pod annotation to manage iptables NOTRACK rules. (#13805, @Weil0ng)
* Agent: Include Cilium version in output of 'cilium status --verbose' (#14492, @romanspb80)
* agent: Make intent of signaling channels clear and optimize memory (#14075, @aditighag)
* alignchecker: git should not ignore bpf_foo.o (#14046, @kkourt)
* all: bump Alpine base image to 3.13.1 and add meta image SHA256 sum (#14795, @rolinh)
* all: use UUIDv4 instead of UUIDv1 (#14351, @tklauser)
* allocator: Quieten local key allocation logging (#14804, @joestringer)
* api/hubble: Explicitly mark unused fields as reserved (#13809, @gandro)
* arp: Set deadline for each retry (#14651, @brb)
* bpf/lb: Skip service handling for ICMP packets (#12552, @pchaigno)
* bpf: allow prefix of /32 and /128 in RSS src CIDR (#14367, @borkmann)
* bpf: datapath: Fix fetching configured base devices (#14456, @mrostecki)
* bpf: datapath: Rewite base devices setup in Go (#13915, @mrostecki)
* bpf: fix health cilium_ipip6 collect_md mode (#15281, @borkmann)
* bpf: fixes for host routing (#15240, @borkmann)
* bpf: lb pmtu discovery support (#14980, @borkmann)
* bpf: use LB addr as srcIP for outer hdr in DSR/IPIP (#14260, @borkmann)
* bpf: Use optimized memset in send_trace_notify (#14450, @pchaigno)
* Bugtool: add taskset (#14568, @youssefazrak)
* bugtool: Record attached BPF programs (#14895, @aditighag)
* Bugtool: route tables are dynamically dumped (#14488, @youssefazrak)
* build(deps): bump actions/cache from v2 to v2.1.4 (#14880, @dependabot[bot])
* build(deps): bump actions/setup-go from v1 to v2.1.3 (#14715, @dependabot[bot])
* build(deps): Bump aws-sdk-v2 to official releases (#14794, @sayboras)
* build(deps): bump docker/build-push-action from 4a531fa5a603bab87dfa56578bd82b28508c9547 to 2.3.0 (#15049, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.0.0 to 1.1.0 (#14881, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.0.0 to 1.0.2 (#15139, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.10 to 0.9.13 (#15050, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.5 to 0.5.6 (#14771, @dependabot[bot])
* build(deps): bump github.com/containernetworking/cni from 0.8.0 to 0.8.1 (#14976, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.24 to 0.19.26 (#14836, @dependabot[bot])
* build(deps): bump github.com/go-openapi/spec from 0.20.0 to 0.20.2 (#14832, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.19.11 to 0.20.0 (#14768, @dependabot[bot])
* build(deps): bump github.com/go-openapi/validate from 0.20.0 to 0.20.1 (#14823, @dependabot[bot])
* build(deps): bump github.com/google/uuid from 1.1.4 to 1.2.0 (#14855, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.10.3 to 1.10.5 (#14833, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil from 2.20.4+incompatible to 2.20.9+incompatible (#14809, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#14772, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2 to v2.4.0 (#14975, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from v2.5.0 to v2.5.1 (#15248, @dependabot[bot])
* build(deps): bump helm/kind-action from v1.0.0 to v1.1.0 (#14716, @dependabot[bot])
* build(deps): bump k8s.io/apiextensions-apiserver from 0.20.1 to 0.20.2 (#14786, @dependabot[bot])
* build(deps): bump k8s.io/apimachinery from 0.20.1 to 0.20.2 (#14811, @dependabot[bot])
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.2 (#14810, @dependabot[bot])
* build(deps): bump k8s.io/code-generator from 0.20.1 to 0.20.2 (#14769, @dependabot[bot])
* build(deps): bump k8s.io/klog/v2 from 2.4.0 to 2.5.0 (#14824, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from v1 to v1.1.1 (#15247, @dependabot[bot])
* build(deps): update docker/build-push-action requirement to 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a (#15138, @dependabot[bot])
* build(deps): update helm/kind-action requirement to v1.1.0 (#15279, @dependabot[bot])
* build: Minor fixes to .gitignore and docs (#13626, @twpayne)
* Bump alpine base image to 3.13.0 (#14718, @tklauser)
* Bump aws-go-sdk-v2 to v0.30.0 (#14460, @ungureanuvladvictor)
* Bump aws-go-sdk-v2 to v0.31.0 (#14490, @ungureanuvladvictor)
* Bump gops to 0.3.16 (#15213, @tklauser)
* Bump vendored dependencies (#14572, @tklauser)
* Bump vendored dependencies (part 2) (#14606, @tklauser)
* Centralize building of the aws.Config object (#14048, @ungureanuvladvictor)
* Check whether to setup proxy rules when init bpf (#14542, @ChangyuWang)
* ci/dependabot: fix labels (#14773, @rolinh)
* ci/docker: Add operator dir into Dockerfile.dockerignore (#14069, @sayboras)
* ci: Add initial dependabot configuration (#14694, @twpayne)
* ci: build race-detection images in GH actions (#14979, @nebril)
* CI: fix cron values for CodeQL analysis (#14575, @twpayne)
* ci: only run CodeQL analysis on cilium/cilium (#14633, @twpayne)
* ci: only run Nightly workflows on cilium/cilium (#14612, @kaworu)
* cilium/cmd, vendor: use github.com/russross/blackfriday/v2 (#14261, @tklauser)
* cilium/cmd: Fix skipping of .git directories (#13760, @twpayne)
* cilium/cmd: mark tests as unprivileged (#13933, @tklauser)
* cilium/cmd: remove unnecessary parseLabels func (#13988, @tklauser)
* cilium/cmd: Replace exit code -1 with exit code 1 (#13761, @twpayne)
* cilium: Drop encryption with tunnel support beta tag (#13801, @jrfastab)
* cilium: error out in svc upsert on frontend/backend ports mismatch on IPIP (#14372, @borkmann)
* cilium: Use strings, not byte slices, for JSON dumps (#14041, @twpayne)
* Clarify description of IPSec configuration format and encryption options (#14760, @Andrey9kin)
* cleanup/unused: Remove un-used code in codebase (#14113, @sayboras)
* cli: Add LB IP to cilium status (#14445, @brb)
* cli: Rename kpr Protocols status field (#14977, @brb)
* cocinelle: update to python3 (#14522, @kaworu)
* CODEOWNERS: add daemon/cmd/kube_proxy_* and pkg/bandwidth (#13818, @tklauser)
* CODEOWNERS: Add pkg/maglev to @cilium/loadbalancer (#14603, @brb)
* CODEOWNERS: Assign tools/ to cilium/contributing (#14433, @pchaigno)
* CODEOWNERS: Assign Travis files to ci-structure team (#15173, @pchaigno)
* CODEOWNERS: Remove docs-structure review from helm (#14965, @joestringer)
* CODEOWNERS: Split codeowners for the documentation (#14076, @pchaigno)
* CODEOWNERS: Split test/ code owners (#14244, @pchaigno)
* CODEOWNERS: Update required reviews (#15009, @pchaigno)
* Complete kube-router documentation by mentioning that "ipam: kubernetes" should be used (#14161, @manuelbuil)
* Consistently use structured logging for errors (#13814, @tklauser)
* Consolidate ec2 client create call (#14121, @ungureanuvladvictor)
* contrib/k8s: Add 'nsexec' script to run commands in the network namespace of a POD (#14361, @jrajahalme)
* contrib: Convert consolidate_go_stacktrace.py to python3 (#15140, @brb)
* Convert AWS API calls to use paginators (#14491, @ungureanuvladvictor)
* crypto/certloader: fix tests comparing crypto/x509.CertPool for Go 1.16 (#14789, @tklauser)
* daemon: Avoid blocking datapath on node discovery (#14670, @pchaigno)
* daemon: don't install cilium-node-monitor symlink (#15054, @tklauser)
* daemon: Turn on policy debug logging if Cilium is started with --debug (#14352, @jrajahalme)
* daemon_main: fix comments error (#14194, @lrouter)
* datapath/iptables: de-duplicate program argument construction (#14007, @tklauser)
* datapath/linux: Fix clang version regex check (#14742, @christarazi)
* datapath/loader: fix privileged test build (#14335, @tklauser)
* datapath: always generate BTF debug information (#14166, @jibi)
* datapath: migrate off j-keck/arping (#13112, @vladdy)
* datapath: Remove IPV{4,6}_NODEPORT (#14431, @brb)
* datapath: Use SHA256 instead of SHA1 for datapath hash (#14279, @twpayne)
* dependabot: disable automatic rebasing of PRs (#14826, @tklauser)
* dependabot: Fix labels (#14717, @pchaigno)
* dependabot: ignore ginkgo updates (#14821, @tklauser)
* dependabot: ignore grpc and miekg/dns updates (#14790, @tklauser)
* dependabot: limit number of open PRs to 1 (#14837, @tklauser)
* dev-doctor: Add --backporting flag for backporters (#14016, @twpayne)
* dev-doctor: Add Helm check (#14001, @twpayne)
* dev-doctor: Add more checks (#14229, @twpayne)
* distinguish between FIN and RST on datapath (#14097, @kkourt)
* doc: Add K8S flag to the example to add worker nodes (#14682, @aditighag)
* Doc: Add note to open tcp:4244 for Hubble Relay (#14758, @youssefazrak)
* doc: Update AUTHORS file (#14719, @kaworu)
* docker: bump cilium-iproute2 image (#14258, @jibi)
* Docker: Multi-arch & cross-compile build with docker buildx (#14208, @jrajahalme)
* docker: Pre-pull images correctly (#14759, @jrajahalme)
* Dockerfile image build process follow-ups (#15110, @aanm)
* Dockerfiles: quote FROM images if they contain 'sha256' (#14887, @aanm)
* docs/release: add step to update dashboards to grafana.com (#14312, @aanm)
* docs/vagrant: Remove reference of libvirt to avoid confusion (#13745, @sayboras)
* docs: Add az login command to AKS getting started guide (#13926, @twpayne)
* docs: Add info about Envoy smoke test (#14359, @jrajahalme)
* docs: Add link from EKS mode to ec2 privileges (#14515, @joestringer)
* docs: Add missing Jobs to the Jenkins Trigger Phrases table (#14199, @kaworu)
* docs: Advise running ginkgo in verbose for e2e tests (#15060, @pchaigno)
* docs: clarify janitor duties (#14127, @jibi)
* docs: Clarify that empty endpoint selectors implictly limit to namespace (#14580, @twpayne)
* docs: Document update-cmdref make target usage (#14925, @nebril)
* docs: Expand triage description (#14235, @joestringer)
* docs: Fix commands to build dev. docker images (#15231, @pchaigno)
* docs: Fix ginkgo commands for e2e tests in GKE/EKS (#15223, @pchaigno)
* docs: Fix hint for updating cmdref (#13795, @brb)
* docs: Fix link formatting to builder/runtime images (#14421, @joestringer)
* docs: fix llvm git repo and clang folder (#14812, @fnzv)
* docs: Improve DNS port documentation (#14144, @joestringer)
* docs: Recommend use of backport scripts (#14011, @pchaigno)
* docs: Remove -noColor from ginkgo flags (#15224, @pchaigno)
* docs: Remove incorrect configuration advice for native routing (#15016, @cmacrae)
* docs: Rename priority/release-blocker to release-blocker/1.X (#14735, @pchaigno)
* docs: update dependency table to add links and download command (#15055, @kaitoii11)
* docs: Update our community docs page (#14968, @pchaigno)
* docs: Update testing docs with instructions to run specific tests (#14108, @aditighag)
* docs: Updates steps when using submit-backport (#14799, @pchaigno)
* Documentation: update iproute2 git URL in bpf.rst (#15207, @dmitris)
* Documentation: Update list of Jenkins jobs (#14592, @twpayne)
* Drop GODEBUG='madvdontneed=1' setting with Go 1.16 (#15076, @tklauser)
* endpoint: Enhance policy map sync (#14370, @jrajahalme)
* endpoint: Fix typo in CT clean logic (#14137, @joestringer)
* endpoint: remove unused (*Endpoint).FinishIPVLANInit and depended on symbols (#14056, @tklauser)
* envoy: Update proxylib interface (#14560, @jrajahalme)
* envoy: use errors.Is(..., net.ErrClosed) instead of string matching (#15080, @tklauser)
* Export and use agent event sub-types for Hubble (#14415, @tklauser)
* Extend endpoint related interfaces (#14743, @aditighag)
* Fix a bug that was causing Azure IPAM with multiple pod subnets to not work. (#15182, @AnishShah)
* Fix a typo in terminology documentation (#14181, @didier-durand)
* fix broken link on readme (#13981, @kaitoii11)
* Fix cilium typos (#14180, @twpayne)
* Fix error propagation in (*K8sWatcher).addK8sPodV1 (#14864, @tklauser)
* Fix integer conversions (#14561, @twpayne)
* Fix rawgit links in README.rst (#14092, @vignesh-codes)
* Fix typo in grpc example (#14874, @teyuchang)
* Fqdn: log misbehaving applications that do not respect DNS TTL (#14878, @youssefazrak)
* fqdn: Optimize KeepUniqueNames (#13920, @jrajahalme)
* fqdn: pass CIDR matcher to (*DNSZombieMappings).DumpAlive (#13990, @tklauser)
* gettingstarted: Corrected typos in memcached.rst (#15277, @unixdaddy)
* health: Disable routing in BPF when per-endpoint routes are enabled (#14741, @pchaigno)
* Helm: Allow enable-k8s-event-handover to be configured via Helm to control CNP Node status updates (#14555, @youssefazrak)
* hubble/parser/threefour: decode layers only if there is a packet (#14448, @tklauser)
* hubble/parser/threefour: ignore gopacket errors on unsupported layers (#14418, @tklauser)
* hubble: allow to filter agent events (#14242, @tklauser)
* hubble: Removal of legacy interfaces and minor cleanup of metrics (#14442, @gandro)
* hubble: Support --{last,since,until} on agent and debug events (#14739, @gandro)
* hubble: switch to google.golang.org/protobuf (#14635, @tklauser)
* images, vendor: update gops to 0.3.17 (#15299, @tklauser)
* images/cilium: set IMAGE_CROSS_TARGET_PLATFORM for right arch (#15074, @aanm)
* images: make update-golang-image.sh update hubble-proto Dockerfile (#14036, @kaworu)
* images: re-write README.md (#15108, @aanm)
* Improve pod deletion resiliency (#14898, @joestringer)
* install/kubernetes: remove quick-install from master branches (#15250, @aanm)
* install/kubernetes: set k8s min version manually (#14778, @aanm)
* install: Remove 1.9 RC workaround (#13863, @joestringer)
* ipvlan: use github.com/cilium/ebpf to create map and load program (#14043, @tklauser)
* jenkinsfile: Remove stale symlinks (#14365, @pchaigno)
* k8s: update k8s libraries to 1.19.4 (#14032, @aanm)
* k8s: update k8s libraries to 1.20.3 (#15030, @aanm)
* k8s: update k8s libraries to 1.20.4 (#15092, @aanm)
* k8s: Update libraries to v1.20.1 (#14481, @christarazi)
* kvstore: Fix event watcher serialization (#14101, @joestringer)
* lbmap: Add compile-time tests for interface satisfiability (#13868, @brb)
* maglev: Allocate permutations slice ahead of time (#14622, @christarazi)
* make: Use buildkit for docker targets by default (#14714, @jrajahalme)
* make: Use consistent Docker tag for dev-docker-image (#14062, @pchaigno)
* Makefile: do not depend on TARGET for install-bash-completion (#15147, @aanm)
* Makefile: Fix missing BASE_IMAGE in docker builds (#14967, @christarazi)
* Makefile: Remove microk8s prepull script (#14148, @joestringer)
* Makefile: Remove microk8s.registry dependency (#15157, @joestringer)
* Makefile: Simplify to run faster (#13939, @jrajahalme)
* Metrics: Add cilium_datapath_dump_resets for dump_interrupts count (#14888, @youssefazrak)
* Minor backporting script tweaks (#14027, @twpayne)
* Misc. cleanups in hubble and monitor packages (#14103, @tklauser)
* Modified path of fuzzer (#14813, @AdamKorcz)
* monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 (#14200, @tklauser)
* monitor: Display human-readable identities (#13601, @pchaigno)
* node/manager: remove unused *Manager methods (#15106, @tklauser)
* Observer to ignore unhandled debug event types (#14589, @anfernee)
* operator: use logfields in cilium operator logging (#14548, @fristonio)
* Optimize Label.String() (#15089, @michi-covalent)
* pkg/k8s/watchers follow-up for #14864 (#15004, @tklauser)
* pkg/k8s: add DeepEqual code generation for Service (#15077, @aanm)
* pkg/k8s: remove unused code (#14376, @aanm)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (#14617, @gandro)
* pkg/loadbalancer: Optimize L3n4Addr.Hash for performance (2) (#15091, @rolinh)
* pkg/logging: do not repeat klog messages on all levels (#14503, @aanm)
* pkg/rate: Make parsing of positive values more strict (#14536, @twpayne)
* pkg: Use strings.Builder instead of bytes.Buffer where possible (#13759, @twpayne)
* policy: Fix typo in issue link (#15251, @joestringer)
* policy: Suppress any policy map updates when updating redirects if keeping the current policy (#14356, @jrajahalme)
* Prepare for 1.10.0 development (#13617, @aanm)
* README: update security releases (#13977, @aanm)
* Refactor endpoint management (#14745, @joestringer)
* refactor: Remove `time.After` from any Loops (#14265, @nathanjsweet)
* refactor: Remove `time.After` from any Loops (#14380, @nathanjsweet)
* Remove references for old k8s version from tests (#14471, @fristonio)
* remove xtables.lock and privileged=true from node-local-dns example (#14319, @ghouscht)
* Replace remaining exit codes -1 with exit code 1 (#13798, @twpayne)
* Revert "azure, policy: Add JSON tags to CRD fields" (#15093, @aanm)
* Revert "Dockerfiles: quote FROM images if they contain 'sha256'" (#14897, @aanm)
* Revert accidentally introduced port change (#14328, @brandshaide)
* stale-bot: stale PRs with assignees (#14364, @aanm)
* Switch metrics map to cilium/ebpf (#14582, @jibi)
* test/helpers: Allow ssh.InsecureIgnoreHostKey in test code (#14535, @twpayne)
* test/Makefile: fix registryCredentials typo (#14051, @kkourt)
* test/packet: Default download to /tmp (#14055, @pchaigno)
* test: Allow test VMs have swap (#14506, @jrajahalme)
* test: Disable the host firewall in incompatible tests (#14037, @pchaigno)
* test: get cilium pods inside background closure (#14057, @kkourt)
* test: Only wait for one operator instance to be ready (#14360, @jrajahalme)
* test: update k8s to 1.20 (#14315, @aanm)
* treewide: bump copyright year to 2021 in generated files (#14573, @tklauser)
* Update authors file (#13866, @joestringer)
* Update CNI network plugin to 0.9.0 (#14620, @tklauser)
* Update EKS e2e testing docs (#14482, @ungureanuvladvictor)
* Update Go to 1.15.5 (#14013, @tklauser)
* Update Go to 1.15.6 (#14298, @tklauser)
* Update Go to 1.15.7 (#14662, @tklauser)
* Update Go to 1.15.8 (#14983, @tklauser)
* Update Go to 1.16 (#15068, @tklauser)
* Update Go to 1.16.1 (#15314, @tklauser)
* Update release process (#15034, @aanm)
* Update stable releases (#13804, @christarazi)
* Update stable releases (#14282, @aanm)
* Update stable releases (#14671, @aanm)
* Update stable releases (#14706, @aanm)
* Update stable releases (#14763, @joestringer)
* Update stable releases (#14896, @christarazi)
* Update stable releases (#15018, @joestringer)
* Update stable releases (#15122, @joestringer)
* Update stable releases (#15313, @joestringer)
* Update USERS.md (#14831, @imathu)
* Use logging pkg to setup cilium-cni logging (#14253, @ungureanuvladvictor)
* Use time.Truncate of more recent Go (#14493, @youssefazrak)
* Use toRawJson + quote for storing eniTags into Cilium configmap (#14499, @ungureanuvladvictor)
* Use vishvananda/netlink instead of net.Interface* (#15296, @anfernee)
* Vagrant Script: Detect colliding active virtualbox VMs and warn users (#14584, @vsk-coding)
* Vagrant: Add support for .devvmrc (#14272, @jrajahalme)
* vagrant: bump all box versions (#14632, @tklauser)
* vagrant: Bump all Vagrant box versions (#14024, @pchaigno)
* vagrant: bump box versions (#14736, @tklauser)
* vagrant: bump box versions (#15090, @tklauser)
* vagrant: bump box versions, again (#15129, @tklauser)
* vagrant: bump bpf-next vagrant box version (#14600, @borkmann)
* vagrant: make restart.sh executable (#13625, @twpayne)
* Vagrantfile: Add support for SHARE_PARENT=2 (#14559, @jrajahalme)
* Various documentation / comments fixes and improvements (#14439, @kaworu)
* vendor: bump github.com/google/gopacket to v1.1.19 (#14472, @tklauser)
* vendor: Bump gopkg.in/yaml.v2 to v2.4.0 (#14230, @twpayne)
* vendor: Pin github.com/optiopay/kafka to commit before fork (#15159, @christarazi)
* vendor: switch github.com/shirou/gopsutil to v3 (#15161, @tklauser)
* vendor: Update sigs.k8s.io/structured-merge-diff/v4 (#14752, @christarazi)
* vendor: use github.com/blang/semver/v4 (#14327, @tklauser)
Computing file changes ...
