Revision f0f563968df78aea22b4613411577e1a3b335ccb authored by Marga Manterola on 15 September 2023, 16:55:15 UTC, committed by Marga Manterola on 15 September 2023, 16:55:15 UTC
This reverts commit 7dc319e4e8e5c7e1d42d4e2f8c0fbc364bcd6b60. Signed-off-by: Marga Manterola <marga@isovalent.com>
1 parent 99249ec
CHANGELOG.md
# Changelog
## v1.11.20
Summary of Changes
------------------
**Bugfixes:**
* Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27148, Upstream PR #27029, @pchaigno)
**Misc Changes:**
* chore(deps): update docker.io/library/golang docker tag to v1.19.11 (#27252, @ferozsalam)
**Other Changes:**
* install: Update image digests for v1.11.19 (#27125, @nathanjsweet)
## v1.11.19
Summary of Changes
------------------
**Bugfixes:**
* client, health/client: set dummy host header on unix:// local communication (Backport PR #26917, Upstream PR #26800, @tklauser)
* Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26872, Upstream PR #26708, @pchaigno)
* Fix bug where CNI gets installed even if cni.install=false (Backport PR #26419, Upstream PR #26278, @joestringer)
* Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26872, Upstream PR #25440, @pchaigno)
* Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26419, Upstream PR #25969, @jrajahalme)
* Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26752, Upstream PR #26344, @jrajahalme)
* ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26419, Upstream PR #26113, @jschwinger233)
**CI Changes:**
* ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26801, Upstream PR #26715, @tklauser)
* hostfw tests flake workaround (Backport PR #25557, Upstream PR #25323, @tommyp1ckles)
* test: Fix and unquarantine `Skip conntrack` test (Backport PR #27030, Upstream PR #25038, @pchaigno)
* v1.11: ci: increase ginkgo kernel test timeout (#26921, @mhofstetter)
* v1.11: ci: use Ariane to trigger workflows (#26578, @nbusseneau)
**Misc Changes:**
* Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26419, Upstream PR #26130, @brb)
* chore(deps): update actions/setup-go action to v4 (v1.11) (#26391, @renovate[bot])
* chore(deps): update all github action dependencies (v1.11) (minor) (#26452, @renovate[bot])
* chore(deps): update all github action dependencies (v1.11) (patch) (#26449, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26450, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26451, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.11) (#26448, @renovate[bot])
* chore(deps): update hubble cli to v0.12.0 (v1.11) (minor) (#26769, @renovate[bot])
* docker: Detect default "desktop-linux" builder (Backport PR #26419, Upstream PR #25908, @jrajahalme)
* docs/ipsec: Clarify limitation on number of nodes (Backport PR #26872, Upstream PR #26810, @pchaigno)
* docs/ipsec: Document RSS limitation (Backport PR #27030, Upstream PR #26979, @pchaigno)
* docs/ipsec: Extend troubleshooting section (Backport PR #27030, Upstream PR #26808, @pchaigno)
* docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26419, Upstream PR #26180, @wedaly)
* docs: Pick up PyYAML 6.0.1 (Backport PR #26917, Upstream PR #26883, @michi-covalent)
* docs: reword incorrect L7 policy description (Backport PR #26419, Upstream PR #26092, @peterj)
* docs: Specify Helm chart version in "cilium install" commands (Backport PR #27030, Upstream PR #26934, @michi-covalent)
* Fix "make -C Documentation builder-image" (Backport PR #26917, Upstream PR #26874, @michi-covalent)
* test/provision/compile.sh: Make usable from dev VM (Backport PR #25557, Upstream PR #25352, @jrajahalme)
**Other Changes:**
* envoy: Bump envoy to v1.24.9 (#26807, @sayboras)
* envoy: Bump envoy version to v1.23.10 (#25891, @mhofstetter)
* envoy: Bump envoy version to v1.24.10 (#27067, @sayboras)
* envoy: Bump minor version to v1.24.x (#26329, @sayboras)
* install: Update image digests for v1.11.18 (#26268, @qmonnet)
* v1.11 docs: Use stable-v0.14.txt for cilium-cli version (#26467, @michi-covalent)
## v1.11.18
Summary of Changes
------------------
**Major Changes:**
* policy: Promote Deny Policies from Beta to Stable (#25496, @nathanjsweet)
**Minor Changes:**
* Add agent flag `enable-ipsec-key-watcher` to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26007, Upstream PR #25893, @pchaigno)
* docs: fix wording for the upgrade guide (#26164, @aspsk)
**Bugfixes:**
* Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #26021, Upstream PR #25784, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #26021, Upstream PR #25724, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #26021, Upstream PR #25735, @pchaigno)
* Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25935, Upstream PR #25419, @bimmlerd)
* Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #26021, Upstream PR #25744, @joamaki)
* Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26021, Upstream PR #26093, @pchaigno)
* Fix incorrect hubble flow data when HTTP requests contain an `x-forwarded-for` header by adding an explicit `use_remote_address: true` config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of `x-forwarded-for` header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding `x-forwarded-for` headers is retained via an explicit `skip_xff_append: true` config setting, except for Cilium Ingress where the source IP address is now appended to `x-forwarded-for` header. (Backport PR #25733, Upstream PR #25674, @jrajahalme)
* Fix leak of IPsec XFRM FWD policies in IPAM modes `cluster-pool`, `kubernetes`, and `crd` when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26021, Upstream PR #25953, @pchaigno)
* Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26021, Upstream PR #25936, @joamaki)
**CI Changes:**
* [v1.11 backport] test: Switch target FQDN (#25586, @nbusseneau)
* Add github workflow to push development helm charts to quay.io (Backport PR #26089, Upstream PR #25205, @chancez)
* Pick up the latest startup-script image (Backport PR #25920, Upstream PR #25774, @michi-covalent)
* Re-enable the smoke test and the conformance-kind test for the CI. (#26153, @aspsk)
* Temporarily disable part of the conformance-kind test. (#25983, @aspsk)
* test: Collect sysdump as part of artifacts (Backport PR #25920, Upstream PR #25079, @pchaigno)
**Misc Changes:**
* backport (v1.11): docs: Promote Deny Policies out of Beta (#26149, @nathanjsweet)
* chore(deps): update dependency cilium/hubble to v0.11.6 (v1.11) (#26044, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.11) (#26000, @renovate[bot])
* install: Fail helm if kube-proxy-replacement is not valid (Backport PR #26007, Upstream PR #25907, @jrajahalme)
* ipsec: Fix cleanup of XFRM states and policies (Backport PR #26021, Upstream PR #26072, @pchaigno)
* Slim down Node handler interface (Backport PR #25935, Upstream PR #25450, @bimmlerd)
**Other Changes:**
* install: Update image digests for v0.11.17 (#25515, @jrajahalme)
* Reduce complexity of bpf_lxc by splitting per-packet lb to its own tail call (#25993, @aspsk)
* v1.11: Fix L4LB GHA (#25528, @brb)
## v1.11.17
Summary of Changes
------------------
**Bugfixes:**
* Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25139, Upstream PR #25043, @harsimran-pabla)
* Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25011, Upstream PR #24785, @giorio94)
* Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25382, Upstream PR #24838, @alan-kut)
* Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25382, Upstream PR #25222, @bimmlerd)
* helm chart: restore setting nodeSelector and tolerations on hubble-ui deployment via `values.yaml` (#25182, @BryanStenson-okta)
* ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25382, Upstream PR #23254, @pchaigno)
* pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25011, Upstream PR #24786, @hemanthmalla)
**CI Changes:**
* ci: remove `STATUS` commands from upstream tests' Jenkinsfile (Backport PR #25139, Upstream PR #25046, @nbusseneau)
* Delete "Cilium monitor verbose mode" test (Backport PR #25382, Upstream PR #25212, @michi-covalent)
* inctimer: fix test flake where timer does not fire within time. (Backport PR #25349, Upstream PR #25219, @tommyp1ckles)
* jenkins: bump timeout to 210 minutes (#24938, @aanm)
* vagrant: Bump 4.9 Vagrant box (Linux 4.9.326, to fix a kernel bug) (Backport PR #25247, Upstream PR #21106, @qmonnet)
**Misc Changes:**
* chore(deps): update hubble cli to v0.11.5 (v1.11) (patch) (#25127, @renovate[bot])
* daemon: Mark CES feature as beta in agent flag (Backport PR #25011, Upstream PR #24850, @pchaigno)
* docs: Add matrix version between envoy and cilium (Backport PR #25349, Upstream PR #25109, @sayboras)
* docs: Add platform support to docs (Backport PR #25349, Upstream PR #25174, @joestringer)
* helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25349, Upstream PR #25033, @giorio94)
* ipsec: Install default-drop XFRM policy sooner (Backport PR #25382, Upstream PR #25257, @pchaigno)
* Makefile: use a specific template for mktemp files (Backport PR #25349, Upstream PR #25192, @kaworu)
* Misc Makefile improvements for quiet mode V=0 (Backport PR #25011, Upstream PR #20031, @joestringer)
* Update CNI to 1.3.0 (#25441, @jrajahalme)
**Other Changes:**
* [backport-v1.11] agent: dump stack on stale probes (#24977, @squeed)
* [v1.11] contrib/backporting: Fix main branch reference (#25093, @joestringer)
* Add helm-toolbox image for helm docs, lint (#25420, @jrajahalme)
* contrib/backporting: Fix main branch reference (#25141, @sayboras)
* envoy: Upgrade to v1.23.9 (#25210, @sayboras)
* install: Update image digests for v1.11.16 (#24954, @gentoo-root)
* v1.11: docs: Document upgrade impact for IPsec (#24974, @pchaigno)
## v1.11.16
Summary of Changes
------------------
**Minor Changes:**
* envoy: Bump envoy to v1.23.8 (#24911, @sayboras)
* envoy: Bump envoy version to v1.23.7 (#24748, @sayboras)
**Bugfixes:**
* Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24604, Upstream PR #24557, @jschwinger233)
* Fix for disabled cloud provider rate limiting (Backport PR #24458, Upstream PR #24413, @hemanthmalla)
* Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24872, @aanm)
* Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24852, Upstream PR #24788, @jrajahalme)
* Handle leaked service backends that may lead to filling up of `lb4_backends` map and thereby connectivity issues. (Backport PR #24823, Upstream PR #24681, @aditighag)
* ipsec: Clean up stale XFRM policies and states (Backport PR #24823, Upstream PR #24773, @pchaigno)
**CI Changes:**
* Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24710, Upstream PR #24484, @jschwinger233)
* renovate: Fix Hubble release digest regex (Backport PR #24604, Upstream PR #24477, @gandro)
* tests: add exceptions for lease errors due to etcd (Backport PR #24823, Upstream PR #24723, @jibi)
**Misc Changes:**
* Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24931, Upstream PR #24928, @aanm)
* Avoid clearing objects in conversion funcs (Backport PR #24931, Upstream PR #24241, @odinuge)
* checker: Fix incorrect checker for ExportedEqual() (Backport PR #24458, Upstream PR #24373, @christarazi)
* chore(deps): update dependency cilium/hubble to v0.11.3 (v1.11) (#24820, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.11) (#24644, @renovate[bot])
* chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.11) (#24493, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.11) (#24498, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.11) (#24499, @renovate[bot])
* docs: add note that there are two Cilium CLIs (Backport PR #24604, Upstream PR #24435, @lizrice)
* docs: fix typo in operations/troubleshooting.rst (Backport PR #24604, Upstream PR #24460, @NikAleksandrov)
* docs: Fix upgradeCompatibility references (Backport PR #24823, Upstream PR #24711, @joestringer)
* docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24458, Upstream PR #24164, @jspaleta)
* docs: Update the documentation for the `--conntrack-gc-interval` flag (Backport PR #24458, Upstream PR #24400, @pchaigno)
* Fix duplicated logs for test-output.log (Backport PR #24458, Upstream PR #24171, @romanspb80)
* hubble-ui: allow ingress from non root `/` urls (Backport PR #24604, Upstream PR #23631, @geakstr)
* loader: Don't compile `.asm` files by default (Backport PR #24823, Upstream PR #24769, @pchaigno)
* pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24823, Upstream PR #24715, @aanm)
**Other Changes:**
* Add IPSec remark for upgrade to v1.11.15 (#24632, @darox)
* Add note about known regression in ConfigMap values prioritized over flags in Cilium agent (#24743, @aanm)
* In service recovery, don't skip if one of the service recovery fails (#23922, @jaredledvina)
* install: Update image digests for v1.11.15 (#24425, @nebril)
* Prepare for release v1.11.16 (#24880, @michi-covalent)
* v1.11: docs: Document IPsec upgrade issue on v1.11.15 (#24704, @pchaigno)
## v1.11.15
Summary of Changes
------------------
**Minor Changes:**
* envoy: Bump envoy to 1.23.4 (Backport PR #23958, Upstream PR #23800, @sayboras)
* helm: Add pod and container security context (Backport PR #24089, Upstream PR #23443, @sayboras)
* helm: Add SA automount configuration (Backport PR #24089, Upstream PR #23441, @sayboras)
**Bugfixes:**
* Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24198, Upstream PR #24009, @squeed)
* agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23958, Upstream PR #23787, @giorio94)
* clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24089, Upstream PR #23947, @giorio94)
* daemon: fix panic when running with etcd with endpoint crd disabled (Backport PR #24385, Upstream PR #24085, @tommyp1ckles)
* envoy: Avoid empty typeURL for all resources (Backport PR #23862, Upstream PR #23763, @sayboras)
* Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23958, Upstream PR #23857, @giorio94)
* Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24308, Upstream PR #23874, @sjdot)
* Fix IPv6 policy enforcement for SNATed traffic from the Host (Backport PR #24368, Upstream PR #24132, @ysksuzuki)
* Fix leaking service backend entries when services with terminating backends were deleted. (#23858, @aditighag)
* ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23958, Upstream PR #23713, @gandro)
* node: require ipv4 address when wireguard is enabled (Backport PR #24040, Upstream PR #23552, @giorio94)
**Misc Changes:**
* Add leader requirement to watch from Etcd. (Backport PR #24089, Upstream PR #23590, @marseel)
* bpf: Fix usage of tunnel map structs (Backport PR #24089, Upstream PR #23469, @pchaigno)
* bugtool: Add ingress/egress tc filter dump (Backport PR #24198, Upstream PR #24057, @joestringer)
* chore(deps): update all github action dependencies (v1.11) (minor) (#24004, @renovate[bot])
* chore(deps): update all github action dependencies (v1.11) (patch) (#23995, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.2 (v1.11) (#23924, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 9fa30fc (v1.11) (#24141, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.11) (#23949, @renovate[bot])
* docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24198, Upstream PR #24055, @joestringer)
* docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24089, Upstream PR #24012, @gentoo-root)
* docs: replace usage of api.twitter.com (Backport PR #23958, Upstream PR #23669, @kaworu)
* Enable Google Analytics 4 (Backport PR #24066, Upstream PR #22220, @chalin)
* fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23958, Upstream PR #23904, @renovate[bot])
* Fixed link to broken anchor in RKE doc (Backport PR #23958, Upstream PR #23706, @raphink)
* IPsec: Remove `IP_POOLS` logic (Backport PR #24089, Upstream PR #24030, @pchaigno)
* Node ID restoration (Backport PR #23686, Upstream PR #23578, @pchaigno)
* Remove / in RKE doc link as it causes redirect bug (Backport PR #23958, Upstream PR #23728, @raphink)
* workflow: fixes LLVM, Clang cache and install path (Backport PR #23958, Upstream PR #23740, @brlbil)
**Other Changes:**
* images: update cilium-{runtime,builder} for 1.11 (#24302, @nebril)
* install: Update image digests for v1.11.14 (#23737, @joestringer)
* Revert "Pick up etcd v3.4.23" (#23789, @michi-covalent)
* v1.11 - Backport initContainer change (#24329, @ferozsalam)
## v1.11.14
Summary of Changes
------------------
**Minor Changes:**
* envoy: Bump envoy version to 1.22.7 (Backport PR #23627, Upstream PR #23502, @sayboras)
**Bugfixes:**
* Added Agent init check that removes all CiliumEndpoints referencing local Node that are not managed. This fixes issues where sometimes CiliumEndpoints referencing still running Pods can become unmanaged during Cilium restart. (Backport PR #23097, Upstream PR #20350, @tommyp1ckles)
* proxy: Fix deadlock in error path of CreateOrUpdateRedirect (Backport PR #23462, Upstream PR #23377, @gandro)
**CI Changes:**
* .github: set do not use provenance from docker buildx (Backport PR #23462, Upstream PR #23431, @aanm)
* [v1.11] test/k8sT: remove l7_demos test (#23348, @tklauser)
* daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #23097, Upstream PR #22600, @tommyp1ckles)
* test: print log messages that need to be investigated (Backport PR #23462, Upstream PR #23338, @aanm)
* tests: add exception for etcd error (Backport PR #23462, Upstream PR #23334, @aanm)
**Misc Changes:**
* .github/workflows: add version number in GH action (#23622, @aanm)
* .github/workflows: fix external contribution detection (Backport PR #23462, Upstream PR #23406, @aanm)
* .github/workflows: fix typo in organization parameter (Backport PR #23462, Upstream PR #23424, @aanm)
* .github/workflows: PR labeler fix GH workflow if expression (Backport PR #23627, Upstream PR #23482, @aanm)
* .github/workflows: set right secret name (Backport PR #23462, Upstream PR #23437, @aanm)
* bugtool: Dump envoy metrics for troubleshooting (Backport PR #23627, Upstream PR #22797, @sayboras)
* build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23455, @dependabot[bot])
* build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23416, @dependabot[bot])
* build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23510, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23491, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23456, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23594, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23415, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23611, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.2.2 to 2.2.3 (#23650, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23389, @dependabot[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.4 (v1.11) (#23684, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 4a45212 (v1.11) (#23568, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to b33325a (v1.11) (#23474, @renovate[bot])
* cilium: Fix missing error log dump from compilation (Backport PR #23462, Upstream PR #23339, @borkmann)
* daemon: Do not fail CI runs for already deleted CEP (Backport PR #23097, Upstream PR #22474, @jrajahalme)
* docs: Disable exclusive lock when chaining with aws-cni (Backport PR #23462, Upstream PR #23159, @jaygridley)
* fqdn/dnsproxy: move init LRU cache call out of StartDNSProxy. (Backport PR #23627, Upstream PR #23429, @tommyp1ckles)
* images/runtime: bump iptables package to 1.8.8 (Backport PR #23409, Upstream PR #23163, @jibi)
* Introduce node IDs in the datapath and the agent, so datapath can later use them to identify remote nodes (Backport PR #23627, Upstream PR #23202, @pchaigno)
* iptables: add support for iptables >= 1.8.7 (Backport PR #23409, Upstream PR #21096, @jibi)
**Other Changes:**
* [v1.11] renovate: Replace update-hubble-version.sh with Renovate Bot (#23531, @gandro)
* install: Update image digests for v1.11.13 (#23401, @qmonnet)
* Pick up etcd v3.4.23 (#23630, @michi-covalent)
## v1.11.13
Summary of Changes
------------------
**Minor Changes:**
* Bugtool: add flag to exclude object for endpoints (Backport PR #23313, Upstream PR #22370, @tbalthazar)
* Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23313, Upstream PR #22884, @dlapcevic)
**Bugfixes:**
* Added Agent init check that removes all CiliumEndpoints referencing local Node that are not managed. This fixes issues where sometimes CiliumEndpoints referencing still running Pods can become unmanaged during Cilium restart. (Backport PR #22563, Upstream PR #20350, @tommyp1ckles)
* Clear stale CNP status nodes if updates have been disabled (Backport PR #22563, Upstream PR #20366, @pippolo84)
* clustermesh: Add missing brackets of IPv6 address for etcd option (Backport PR #23313, Upstream PR #22962, @YutaroHayakawa)
* docs: Update Cilium Sphinx RTD Theme reference (Backport PR #22563, Upstream PR #22321, @kimstacy)
* envoy: Fix regression on passing TLS SNI option to upstream TLS connections (#23031, @jrajahalme)
* Fail validate-cnp preflight check if a CiliumClusterwideNetworkPolicy is using an empty toEndpoints/fromEndpoints selector (Backport PR #22563, Upstream PR #21990, @thorn3r)
* Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #23313, Upstream PR #22619, @aspsk)
**CI Changes:**
* .github: Pin docker buildx version to v0.9.1 (v2) (Backport PR #23313, Upstream PR #23220, @joestringer)
* daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #23313, Upstream PR #22600, @tommyp1ckles)
* golangci-lint-action: Remove skip-go-installation option (#23216, @michi-covalent)
* test/helpers: Fix retry condition for CiliumExecContext (Backport PR #23313, Upstream PR #22726, @christarazi)
* test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #23313, Upstream PR #22772, @julianwiedmann)
**Misc Changes:**
* .github/workflows: use right event type for auto labeler (Backport PR #22563, Upstream PR #22508, @aanm)
* .github: add PR labeler for external contributions (Backport PR #22563, Upstream PR #22461, @aanm)
* Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #23313, Upstream PR #22821, @chalin)
* backporting: leave `backport/author` PRs alone (Backport PR #23313, Upstream PR #22654, @bimmlerd)
* build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22986, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22958, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 (#22987, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23114, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (#23071, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.38 to 2.1.39 (#23187, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23251, @dependabot[bot])
* build(deps): update package dependencies (Backport PR #23313, Upstream PR #23140, @fengshunli)
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 0e0402c (v1.11) (#22638, @renovate[bot])
* ci, github: Fix IPv6 conformance test (Backport PR #23055, Upstream PR #22774, @borkmann)
* contrib: Update PR template for backport (Backport PR #23313, Upstream PR #23058, @sayboras)
* daemon/cmd: Fix error handling for getting proxy port (Backport PR #22563, Upstream PR #22296, @christarazi)
* docs: add instructions to build the base images from external forks (Backport PR #22563, Upstream PR #22304, @aanm)
* docs: Fix `kubectl create` output in docs after some deployments have moved from K8s "extensions" to "apps". (Backport PR #22563, Upstream PR #22002, @cleverhu)
* docs: Improve IPsec guide (Backport PR #23313, Upstream PR #23135, @pchaigno)
* docs: Improve wording for deny policies limitation (Backport PR #23313, Upstream PR #23095, @joestringer)
* docs: update committer security requirements (Backport PR #23313, Upstream PR #23134, @xmulligan)
* gha: Bump k8s version in kind conformance tests (Backport PR #23055, Upstream PR #22325, @sayboras)
* IPsec: Refactor `ipSecReplaceState{In,Out}` functions (Backport PR #23313, Upstream PR #23158, @pchaigno)
* k8s: don't consider 4xx a successful interaction (Backport PR #22563, Upstream PR #22393, @bimmlerd)
* Update CNI to 1.2.0 (Backport PR #23313, Upstream PR #23267, @michi-covalent)
* Update Layer 7 Protocol Visibility Document. (Backport PR #23313, Upstream PR #22807, @obaranov1)
* vendor: Pick up security fixes (#23215, @michi-covalent)
**Other Changes:**
* [v1.11] images: Bump Hubble CLI to v0.11.1 (#23302, @gandro)
* install: Update image digests for v1.11.12 (#22818, @joestringer)
## v1.11.12
Summary of Changes
------------------
**Bugfixes:**
* Fix bug that could lead to inconsistent pod IP information between agents, sometimes leading to a failure to decrypt IPsec traffic. (Backport PR #22309, Upstream PR #22127, @aanm)
* Fix bug where configuring the API rate limiter options could fail when providing multiple options (Backport PR #22752, Upstream PR #22299, @thorn3r)
* Fix forwarding of the security identity by the DNS proxy which could cause random policy denials (Backport PR #22456, Upstream PR #22361, @aspsk)
* Fix GC of CEPs that were not GCed by kube-apiserver (Backport PR #22309, Upstream PR #22213, @aanm)
**CI Changes:**
* .github: Explicitly set build-commits job runner image version and install libtinfo5 (Backport PR #22329, Upstream PR #22315, @chancez)
* .github: fix bpf-checks on ubuntu-latest runner (Backport PR #22329, Upstream PR #22322, @julianwiedmann)
* Fix CODEOWNERS (#22293, @michi-covalent)
**Misc Changes:**
* .github/workflows: split the image tag update in two steps (Backport PR #22261, Upstream PR #22268, @aanm)
* Add automatic creation of Cilium base images (Backport PR #22261, Upstream PR #22179, @aanm)
* bpf: Remove FIB lookup for IPsec (Backport PR #22309, Upstream PR #22069, @pchaigno)
* build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#22485, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22713, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#22305, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 (#22495, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#22631, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22760, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22714, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (#22594, @dependabot[bot])
* chore(deps): update base-images (v1.11) (#22123, @renovate[bot])
* gha: Pin ubuntu-20.04 for conformance-test-ipv6 (Backport PR #22329, Upstream PR #22324, @sayboras)
**Other Changes:**
* .github/workflows: install promtool from binary release (#22331, @tklauser)
* install: Update image digests for v1.11.11 (#22239, @michi-covalent)
## v1.11.11
Summary of Changes
------------------
**Bugfixes:**
* Fix overlapping/duplicate PodCIDR allocation when nodes are added while operator is down (Backport PR #22073, Upstream PR #21526, @dylandreimerink)
* Fixed CCNP garbage collection (Backport PR #21810, Upstream PR #21394, @zuzzas)
* Fixes a deadlock that can be exposed in high-churn clusters when Pods are deleted rapidly. (Backport PR #21810, Upstream PR #21771, @squeed)
**Misc Changes:**
* Add a section with distro-specific considerations (Backport PR #22073, Upstream PR #21064, @bmcustodio)
* build(deps): bump actions/cache from 3.0.10 to 3.0.11 (#21721, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#21841, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#21786, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#21849, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 (#21697, @dependabot[bot])
* build(deps): bump docker/login-action from 2.0.0 to 2.1.0 (#21698, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 (#21700, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 (#21757, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 (#21787, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 (#21696, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.2 to 2.11.1 (#21711, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.27 to 2.1.28 (#21785, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (#21892, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.29 to 2.1.30 (#21972, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.30 to 2.1.32 (#22156, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#21840, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (#22112, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 (#21867, @dependabot[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.3 (v1.11) (#22145, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.3 (v1.11) (#22146, @renovate[bot])
* chore(deps): update docker.io/library/alpine:3.12.7 docker digest to de25c7f (v1.11) (#22124, @renovate[bot])
* chore(deps): update docker.io/library/alpine:3.16.2 docker digest to 65a2763 (v1.11) (#22125, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.17.13 docker digest to 87262e4 (v1.11) (#22126, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 450e066 (v1.11) (#22143, @renovate[bot])
* chore(deps): update module go to 1.17 (v1.11) (#22147, @renovate[bot])
* Clarify in documentation that Azure CNI chaining is different from Azure CNI powered by Cilium. (Backport PR #22073, Upstream PR #21897, @wedaly)
* docs: Remove `autoDirectNodeRoutes` where not needed (Backport PR #22073, Upstream PR #21831, @pchaigno)
* docs: Update k8s NetworkPolicy descriptions (Backport PR #21810, Upstream PR #21670, @joestringer)
**Other Changes:**
* images: update cilium-{runtime,builder} (#22195, @michi-covalent)
* install: Update image digests for v1.11.10 (#21766, @qmonnet)
## v1.11.10
Summary of Changes
------------------
**Bugfixes:**
* bugtool: Fix pprof default ports (Backport PR #21633, Upstream PR #21497, @pippolo84)
* daemon: avoid nil pointer dereference on invalid endpoint state (Backport PR #21468, Upstream PR #21449, @tklauser)
* daemon: Fix a nil dereference on cleanup when DNS proxy is not enabled (Backport PR #21468, Upstream PR #21365, @joamaki)
* Fix agent deadlock caused by frequent kube-apiserver IP recycling (Backport PR #21564, Upstream PR #21629, @joestringer)
* Fix bug that can cause some traffic covered by an L7 policy to be dropped when IPsec is enabled on EKS. (Backport PR #21642, Upstream PR #21595, @pchaigno)
* Fix bug where traffic sent outside the cluster via ToFQDNs policy would be denied despite a policy that allows it (Backport PR #21564, Upstream PR #20721, @joestringer)
* ipcache: Fix metadata access from CIDR allocation (Backport PR #21564, Upstream PR #21565, @joestringer)
**CI Changes:**
* Remove Slack notifications (Backport PR #21468, Upstream PR #21239, @michi-covalent)
**Misc Changes:**
* bugtool: Dump envoy config for troubleshooting (Backport PR #21468, Upstream PR #21348, @sayboras)
* build(deps): bump 8398a7/action-slack from 3.13.2 to 3.14.0 (#21442, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.8 to 3.0.10 (#21557, @dependabot[bot])
* build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#21573, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.22 to 2.1.24 (#21341, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.24 to 2.1.25 (#21396, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.25 to 2.1.26 (#21513, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#21624, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#21426, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 (#21408, @dependabot[bot])
* cmd/bpf: Log if no policy maps found (Backport PR #21468, Upstream PR #21429, @aditighag)
* contrib: avoid reviews from non-collaborators (Backport PR #21633, Upstream PR #21577, @bimmlerd)
* Fix a typo in the comment example (Backport PR #21468, Upstream PR #21402, @farcaller)
* helm: Fix post-start and pre-stop hooks for cilium-nodeinit on Ubuntu EKS images (Backport PR #21468, Upstream PR #20979, @dctrwatson)
* images: update cilium-{runtime,builder} (#21660, @qmonnet)
* ipcache: Fix lock leak (Backport PR #21564, Upstream PR #20833, @joestringer)
* ipcache: Release metadata mutex in loop error condition (Backport PR #21564, Upstream PR #21653, @joestringer)
* ipsec: Fix slightly incorrect assumption in XFRM IN policies (Backport PR #21642, Upstream PR #21621, @pchaigno)
* ipsec: Refactoring around `UpsertIPsecEndpoint` (Backport PR #21633, Upstream PR #21461, @pchaigno)
* ipsec: Simplify XFRM FWD policies (Backport PR #21642, Upstream PR #21602, @pchaigno)
* ipsec: Simplify XFRM IN policies (Backport PR #21468, Upstream PR #21370, @pchaigno)
* makefile: use versioned Go container when formatting after api generate. (Backport PR #21468, Upstream PR #21254, @tommyp1ckles)
**Other Changes:**
* Aspsk/backports to v1.11 (#21476, @aspsk)
* install: Update image digests for v1.11.9 (#21309, @nebril)
* test: node: use Eventually() to check CiliumNode labels (#21399, @jibi)
## v1.11.9
Summary of Changes
------------------
**Minor Changes:**
* Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener (Backport PR #21223, Upstream PR #21127, @geakstr)
* dnsproxy: stop serving DNS traffic before agent shutdown (Backport PR #21223, Upstream PR #20795, @nebril)
* install: add TerminationMessagePolicy to cilium pods (Backport PR #21291, Upstream PR #21012, @squeed)
* put stderr of iptables command into error instead of merging into stdout (Backport PR #21139, Upstream PR #20895, @liuyuan10)
**Bugfixes:**
* clustermesh-apiserver: fix key name for delete during k8s->kvstore sync (Backport PR #21139, Upstream PR #21078, @tklauser)
* datapath: allow local NodePort traffic for `eni+` container interfaces with CNI chaining (Backport PR #21223, Upstream PR #21126, @ti-mo)
* Do not enable health checks if only Terminating backends are present on a Node which is selected by a Service with `externalTrafficPolicy: Local` Service (Backport PR #21211, Upstream PR #21062, @zuzzas)
* Fix conflicting routes for multiple ENIs in IPAM mode (Backport PR #21223, Upstream PR #20112, @recollir)
* Fix identity garbage collection in clustermesh environments (#20933, @aanm)
* Fix node label synchronization in the KVStore when IPSec configuration changes (Backport PR #21139, Upstream PR #21087, @aanm)
* Fix regression with cilium-health-probe controller in IPv6-only clusters (Backport PR #20939, Upstream PR #20849, @aanm)
* Fix Wireguard connectivity issues when using kvstore mode (Backport PR #21139, Upstream PR #21080, @aanm)
* Fixed PodCIDR announcement being overwritten by SVC announcement (Backport PR #20880, Upstream PR #20413, @dylandreimerink)
* Fixes typos in enabling fqdn_semaphore_rejected_total metric (Backport PR #20939, Upstream PR #20893, @rahulkjoshi)
* For configurations with Egress Gateway and Direct-Routing, avoid recreating the cilium_vxlan interface on every restart. (Backport PR #21139, Upstream PR #20780, @julianwiedmann)
* ipcache/kvstore: fix panic when processing ip=<nil> entries (Backport PR #20939, Upstream PR #20706, @ArthurChiao)
* ipsec: Fix incorrect parsing of SPI from mark (Backport PR #20939, Upstream PR #20900, @pchaigno)
* k8s/watchers: fix panic in CiliumEndpoint labels update (Backport PR #21139, Upstream PR #20865, @jaffcheng)
* kvstore/allocator: fix panic on receiving invalid identity entries (Backport PR #21291, Upstream PR #21213, @ArthurChiao)
* operator: do not GC kvstore nodes if CiliumNodes are not available (Backport PR #21223, Upstream PR #21133, @aanm)
* operator: update CiliumNode in kvstore without lease (Backport PR #21223, Upstream PR #21202, @tklauser)
* pkg/k8s/watcher: fix deadlock crash that occurs when handling endpoint and service updates. (Backport PR #21223, Upstream PR #21093, @tommyp1ckles)
* v1.11: operator: fix key name for delete during k8s->kvstore sync (#20983, @tklauser)
* When systemd-sysctl sets the rp_filter sysctl, tolerate missing lxc_* / cilium_* interfaces. (Backport PR #21223, Upstream PR #21146, @julianwiedmann)
**CI Changes:**
* backport v1.11: test: Switch to kindest/node:v1.24.3 (#20919, @brb)
* CI: Enable IPv6 in the L4LB suite (Backport PR #20939, Upstream PR #20821, @brb)
* config: Fix unit tests for native routing CIDR (Backport PR #20939, Upstream PR #20473, @pchaigno)
* gh/workflows: stop using ubuntu-18.04 runner (Backport PR #21139, Upstream PR #21015, @julianwiedmann)
* k8s: fix test flake in TestGenerateToCIDRFromEndpoint. (Backport PR #21223, Upstream PR #21220, @tommyp1ckles)
* k8s: fix test flake in TestGenerateToCIDRFromEndpoint. (Backport PR #21291, Upstream PR #21220, @tommyp1ckles)
* Update wrk2 repository (#21158, @michi-covalent)
**Misc Changes:**
* add kvstore TTL flag in cilium-operator (Backport PR #21139, Upstream PR #21006, @NikhilSharmaWe)
* bgp: Fixed broken bgp speaker unit tests (Backport PR #20880, Upstream PR #20521, @dylandreimerink)
* build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 (#21036, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.7 to 3.0.8 (#21024, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (#21047, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 (#20988, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 (#21025, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 (#21091, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 (#21172, @dependabot[bot])
* Coalesce of health endpoint CIDRs (Backport PR #21223, Upstream PR #20848, @dezmodue)
* docs(bandwidth-manager): add note on per-pod limits (Backport PR #20939, Upstream PR #20916, @raphink)
* docs: fix check-crd-compat-table script (Backport PR #21291, Upstream PR #21208, @aanm)
* docs: Update ToServices docs section (Backport PR #21139, Upstream PR #21052, @joestringer)
* Document per-endpoint route requirement in aws-cni Helm snippet (Backport PR #21291, Upstream PR #21276, @ti-mo)
* Fix complaint about nil IP address on restore of cilium_host (Backport PR #20939, Upstream PR #20734, @christarazi)
* Improve CRD schema update automation during release process (Backport PR #20939, Upstream PR #20875, @joestringer)
* metallb: bump to latest metallb version (Backport PR #21223, Upstream PR #21131, @ldelossa)
* test: update k8s versions to the latest patched releases (#21101, @aanm)
**Other Changes:**
* Adding support for tracking instance hypervisor type in ENI limits pkg (#20930, @tommyp1ckles)
* install: Update image digests for v1.11.8 (#20927, @joestringer)
## v1.11.8
Summary of Changes
------------------
**Minor Changes:**
* add an option to wait for kube-proxy (Backport PR #20840, Upstream PR #20517, @michi-covalent)
* Add metric on number of requests rejected by DNS Proxy semaphore (Backport PR #20840, Upstream PR #20491, @rahulkjoshi)
* Cilium Istio integration is updated to Istio release 1.10.6 (Backport PR #20840, Upstream PR #18384, @jrajahalme)
**Bugfixes:**
* Add EndpointSlice support for clustermesh-apiserver (Backport PR #20840, Upstream PR #20697, @YutaroHayakawa)
* Envoy version checking is now disabled whenever L7 proxy is disabled too (Backport PR #20840, Upstream PR #20440, @bmcustodio)
* Fix ineffective post-start hook in ENI mode (Backport PR #20840, Upstream PR #20741, @bmcustodio)
* Fix mtu setting for tunnel interface in init.sh (Backport PR #20840, Upstream PR #20552, @ChengyuanLiCY)
* Fix parsing of string map command line options when more than one separator is present. (Backport PR #20840, Upstream PR #20673, @tklauser)
* Fix the bugs when empty CiliumEndpointSlices were created and leaked. (Backport PR #20840, Upstream PR #20251, @alan-kut)
* helm: Guard apply sysctl init container (Backport PR #20840, Upstream PR #20643, @sayboras)
* iptables: handle case where kernel IPv6 support is disabled (Backport PR #20840, Upstream PR #20680, @jibi)
* Optimize Eni update latency after new eni created (Backport PR #20840, Upstream PR #20609, @wu0407)
* pkg/k8s/version: Also set EndpointSlice when forcing version (Backport PR #20840, Upstream PR #20383, @joamaki)
* Fix bug where Cilium would crash on startup with an error about being unable to delete iptables rules. (Backport PR #20891, Upstream PR #20885, @jibi)
**CI Changes:**
* ci: fix code changes detection on `push` events (Backport PR #20840, Upstream PR #20685, @nbusseneau)
* ci: pick up cilium-cli v0.11.9 for master/v1.11 workflows (Backport PR #20840, Upstream PR #20234, @tklauser)
* ci: pick up cilium-cli v0.12.0 for master, v1.11 and v1.12 workflows (Backport PR #20840, Upstream PR #20617, @tklauser)
* docs: Bump up Netlify Python version to 3.8 (Backport PR #20840, Upstream PR #20486, @michi-covalent)
**Misc Changes:**
* Add metric to track terminating endpoint events (Backport PR #20840, Upstream PR #20404, @aditighag)
* Add Peer Service to Cilium DS Port List (Backport PR #20840, Upstream PR #20296, @nathanjsweet)
* build(deps): bump actions/cache from 3.0.5 to 3.0.6 (#20805, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.6 to 3.0.7 (#20872, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 (#20592, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 (#20807, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.16 to 2.1.17 (#20708, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.17 to 2.1.18 (#20784, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 (#20577, @dependabot[bot])
* build(deps): bump library/alpine from 3.16.0 to 3.16.1 in /images/cache (#20587, @dependabot[bot])
* build(deps): bump library/alpine from 3.16.1 to 3.16.2 in /images/cache (#20855, @dependabot[bot])
* Consider `$GO` environment variable `make precheck` checks (Backport PR #20840, Upstream PR #20750, @tklauser)
* contrib: Add CRD generation to release process (Backport PR #20840, Upstream PR #20564, @joestringer)
* daemon: Improve dnsproxy error when EP not found (Backport PR #20840, Upstream PR #20649, @joestringer)
* dnsproxy: update dnsproxy benchmark memory calculation (Backport PR #20840, Upstream PR #20305, @odinuge)
* docs(masquerading): add missing "address" (Backport PR #20840, Upstream PR #20538, @raphink)
* docs, ci, test/l4lb: use latest cilium-cli release according to stable.txt (Backport PR #20840, Upstream PR #20203, @tklauser)
* docs: fix a Links documentation style guide error (Backport PR #20840, Upstream PR #20460, @Kikiodazie)
* docs: update etcd kvstore migration instructions (Backport PR #20840, Upstream PR #20624, @hhoover)
* docs: Update Helm values (Backport PR #20840, Upstream PR #20716, @qmonnet)
* Fix `subnet_id` label value being empty in IP allocation and interface creation in ENI IPAM metrics (Backport PR #20840, Upstream PR #20449, @wu0407)
* fqdn/dnsproxy: fix test build (Backport PR #20840, Upstream PR #20537, @tklauser)
* helm: Make DNS policy for cilium-agent and cilium-operator pods configurable (Backport PR #20840, Upstream PR #20082, @michi-covalent)
* hubble-ui: release v0.9.1 (Backport PR #20840, Upstream PR #20572, @geakstr)
* pkg/k8s: do not wait for endpointslice cache sync in k8s >= 1.17 (Backport PR #20840, Upstream PR #20569, @aanm)
* pkg/k8s: set the right IP addresses in log messages (Backport PR #20840, Upstream PR #20757, @aanm)
* pkg/metrics: Remove source node label (Backport PR #20840, Upstream PR #20433, @aditighag)
* Revert "Revert "doc: update the api spec for fqdn egress policies cod… (Backport PR #20840, Upstream PR #20744, @aanm)
* v1.11: Update Go to 1.17.13 (#20747, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.7 (#20561, @joestringer)
* remove stable tag from docker images builds (#20575, @aanm)
## v1.11.7
Summary of Changes
------------------
**Major Changes:**
* add support for AKS BYOCNI (Backport PR #20364, Upstream PR #19379, @nbusseneau)
**Minor Changes:**
* Add metric on datapath update latency due to FQDN IP updates (Backport PR #20263, Upstream PR #19992, @rahulkjoshi)
* IPSec key rotation without agent restart (Backport PR #20157, Upstream PR #19814, @jibi)
* metrics: Add extra clustermesh metrics (Backport PR #20229, Upstream PR #18348, @sayboras)
* Speed up identity lookup in Hubble and L7 proxy by no longer calculating SHA256 over labels. (Backport PR #20364, Upstream PR #20104, @tklauser)
* Use DeleteOnMetadataMatch instead of Delete for endpointUpdated (Backport PR #20263, Upstream PR #19996, @kvaster)
* v1.11: helm: disable the peer service by default (#20291, @rolinh)
**Bugfixes:**
* `node-init` now takes `enableIPv4Masquerade` into account on GKE. (Backport PR #20412, Upstream PR #19533, @bmcustodio)
* bpf: Fix typo in host firewall tail call (Commit https://github.com/cilium/cilium/commit/0f6513399d66b7302f3fd11613430f47118e6b42, @pchaigno)
* bpf: Use tunnel port flag instead of hardcoded value (Backport PR #20263, Upstream PR #20115, @pchaigno)
* bug: Fixed a rare CiliumIdentity race deletion. (Backport PR #20364, Upstream PR #19936, @nathanjsweet)
* cilium: fix conflicting iptables-legacy and iptables-nft rules (Backport PR #20364, Upstream PR #20123, @jrfastab)
* Consider VPC's secondary CIDRs during cilium_host IP restoration (Backport PR #20364, Upstream PR #19341, @hemanthmalla)
* daemon, option: Fix vlan bpf bypass ids loading (Backport PR #20412, Upstream PR #20282, @pippolo84)
* daemon: Fix issue where stale router IPs were not cleaned up (Backport PR #20412, Upstream PR #20389, @gandro)
* datapath: Fix security ID propagation in tunnel header for NodePort BPF forwarded requests (Backport PR #20301, Upstream PR #19061, @brb)
* Fix agent panic in some cases when service matcher local redirect policy was deployed prior to the selected service. (Backport PR #20263, Upstream PR #19522, @aditighag)
* Fix Azure IPAM 403 errors for Azure instances using Azure Compute Gallery images (Backport PR #20364, Upstream PR #19697, @andrew-bulford-form3)
* Fix Cilium bootstrapping regression with etcd without relying on DNS (Backport PR #20263, Upstream PR #20106, @aanm)
* Fix Cilium initialization for clusters with etcd-operator (Backport PR #20263, Upstream PR #20131, @aanm)
* Fix drop of large packets redirected through an egress gateway node when running in native routing mode. (Backport PR #20412, Upstream PR #20269, @pchaigno)
* fix identity gc to return correct max/min id (Backport PR #20412, Upstream PR #20361, @dkhachyan)
* Fixed SystemD >=245 sysctl(`rp_filter`) config incompatibility (Backport PR #20364, Upstream PR #20072, @dylandreimerink)
* helm: Fix cluster-id arguments in clustermesh deployment (Backport PR #20364, Upstream PR #20312, @sayboras)
* ipsec: fix stale keys reclaim logic (Backport PR #20157, Upstream PR #19932, @jibi)
* iptables: ensure all rules are installed consistently (Backport PR #20178, Upstream PR #19693, @jibi)
* iptables: fix typo in addProxyRule condition (Backport PR #20178, Upstream PR #20109, @jibi)
* nodediscovery: ensure we cache the nodeResource correctly to avoid null pointer dereferencing (Backport PR #20263, Upstream PR #20158, @odinuge)
* nodediscovery: make LocalNode return a deep copy of localNode (Backport PR #20157, Upstream PR #20392, @jibi)
* nodemanager: Fix bug where Cilium tried to reach stale health endpoints on kubeapi-server nodes (Backport PR #20263, Upstream PR #20210, @gandro)
**CI Changes:**
* ci: provide CI images with unstripped binaries (Backport PR #20263, Upstream PR #20238, @tklauser)
* jenkinsfiles: fix docker manifest inspect commands in GKE pipeline (Backport PR #20364, Upstream PR #20325, @tklauser)
* runtime: Bump privileged test timeout (Backport PR #20263, Upstream PR #19487, @joestringer)
**Misc Changes:**
* [docs] Add training and support information to Getting Help (Backport PR #20364, Upstream PR #20194, @lizrice)
* Add a note about conflicting node CIDRs #20204 (Backport PR #20263, Upstream PR #20208, @wokalski)
* Add ESP to firewall requirements in documentation for IPSec enabled C… (Backport PR #20364, Upstream PR #20314, @Kikiodazie)
* api: re-sync bpf drop reasons (Backport PR #20412, Upstream PR #20149, @julianwiedmann)
* build(deps): bump actions/cache from 3.0.4 to 3.0.5 (#20495, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#20465, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.12 to 2.1.13 (#20261, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.13 to 2.1.14 (#20293, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.14 to 2.1.15 (#20344, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.15 to 2.1.16 (#20504, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.2.0 to 1.3.0 (#20201, @dependabot[bot])
* ctmap: Do not use nil locks (Backport PR #20412, Upstream PR #20388, @jrajahalme)
* docs(policy): add notes on DNS/L7 policies & Cilium agent availability (Backport PR #20364, Upstream PR #20289, @raphink)
* docs: Document clustermesh datapath configuration for non-tunneled modes (Backport PR #20412, Upstream PR #16499, @jrajahalme)
* docs: Fix reference to upgrade guide (Backport PR #20263, Upstream PR #20184, @joestringer)
* docs: Improve policy troubleshooting guide (Backport PR #20412, Upstream PR #20399, @joestringer)
* docs: remove stale EgressGW limitation with CES (Backport PR #20263, Upstream PR #20195, @julianwiedmann)
* helm: Templatize preflight and clustermesh-apiserver repos (Backport PR #20263, Upstream PR #20206, @michi-covalent)
* operator: start the event queue in a dedicated go routine (Backport PR #20493, Upstream PR #20353, @aanm)
* update-docs : add details for how to enable/disable Policy Audit Mode by endpoint (Backport PR #20263, Upstream PR #19876, @BryanStenson-okta)
* v1.11: Update Go to 1.17.12 (#20503, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.6 (#20223, @joestringer)
* update k8s versions to the latest releases (#20513, @aanm)
## v1.11.6
Summary of Changes
------------------
**Minor Changes:**
* Add concurrency limiting for DNS message processing (Backport PR #19858, Upstream PR #19592, @nebril)
* Add config flag to add a prefix to AgentNotReadyNodeTaint value in order to enable the taint being ignored by cluster autoscaler. (Backport PR #20183, Upstream PR #19247, @thejosephstevens)
* Add counter to track all datapath timeouts due to FQDN IP updates (Backport PR #20111, Upstream PR #19809, @ungureanuvladvictor)
* Add type label to the identity metric (Backport PR #20111, Upstream PR #19999, @ungureanuvladvictor)
* Bugtool: Add additional Linux traffic-control (tc) data to cilium-bugtool output. (Backport PR #19966, Upstream PR #19856, @tommyp1ckles)
* Change default agent health check port to avoid conflicts (Backport PR #19858, Upstream PR #19830, @tklauser)
* Ensure priority scheduling of CNI agent. Repair a deprecated Kubernetes annotation. The annotation was used to schedule pods at high priority. This deprecation, which occurred in Kubernetes 1.16, results in unexpected behavior. (Backport PR #20111, Upstream PR #18667, @sdake)
* envoy: Bump cilium envoy to latest version v1.21.3 (Backport PR #20146, Upstream PR #20142, @sayboras)
* ui: v0.9.0 images and drop envoy proxy container (Backport PR #20111, Upstream PR #19565, @geakstr)
**Bugfixes:**
* cli: Update regex for key value validation (Backport PR #19858, Upstream PR #19794, @sayboras)
* cli: Use custom named map instead of StringToStringVar (Backport PR #20111, Upstream PR #19968, @sayboras)
* clustermesh: Add ownerReferences for CiliumNodes (Backport PR #20111, Upstream PR #19959, @sayboras)
* cmd: Allow more complicated patterns in map string type. (Backport PR #20111, Upstream PR #19955, @sayboras)
* datapath: Fix implicit-int-conversion err in common.h (Backport PR #19966, Upstream PR #19832, @brb)
* Fix bug where established host connections would be interrupted on agent restart if the host firewall was enabled. (Backport PR #20111, Upstream PR #19998, @pchaigno)
* Fix memory leak in the DNS cache when a long-lived endpoint makes many unique DNS lookups over time (Backport PR #20111, Upstream PR #19925, @christarazi)
* Fix race condition leading to inconsistent CiliumNode that can cause the agent to fatal. (Backport PR #20111, Upstream PR #19923, @pchaigno)
**CI Changes:**
* jenkins: switch to ad-hoc GKE cluster creation/deletion (Backport PR #19966, Upstream PR #19918, @nbusseneau)
* test: Wait for pod termination in K8sServicesTest (Backport PR #19858, Upstream PR #19750, @brb)
**Misc Changes:**
* api: change "group not found" log to debug (Backport PR #19966, Upstream PR #19927, @tklauser)
* bugtool: Add structured node and health output (Backport PR #20111, Upstream PR #20011, @gandro)
* build(deps): bump actions/cache from 3.0.2 to 3.0.3 (#20023, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.3 to 3.0.4 (#20102, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.0.0 to 3.1.0 (#19803, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (#19974, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 (#19902, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.11 to 2.1.12 (#20059, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.9 to 2.1.11 (#19854, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#19783, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.2 to 1.5.3 (#19868, @dependabot[bot])
* build(deps): bump library/alpine from 3.15.4 to 3.16.0 in /images/cache (#19944, @dependabot[bot])
* Do not disable peer service when hubble.listenAddress is empty (Backport PR #19966, Upstream PR #19886, @chancez)
* docs: Add docs-builder build as dependency to live preview (Backport PR #19966, Upstream PR #19885, @qmonnet)
* docs: add kube-apiserver to the special identity list (Backport PR #20111, Upstream PR #20047, @kaworu)
* docs: Document operator.unmanagedPodWatcher (Backport PR #19846, Upstream PR #19820, @joestringer)
* docs: Fix incorrect command in IPsec GSG (Backport PR #19858, Upstream PR #19767, @pchaigno)
* docs: Fix incorrect FQDN flag (Backport PR #19966, Upstream PR #19930, @pchaigno)
* docs: Fix max SPI value for IPsec key rotations (Backport PR #19966, Upstream PR #19893, @pchaigno)
* docs: Remove '\r' chars from grep result to parse Alpine image name (Backport PR #19966, Upstream PR #19888, @qmonnet)
* Document that clustermesh cluster-id range is 1-255 (Backport PR #19858, Upstream PR #19683, @stonith)
* Expose metrics for active FQDN connections per endpoint (Backport PR #20111, Upstream PR #19857, @christarazi)
* helm: don't generate the hubble-peer svc during preflight checks (Backport PR #19858, Upstream PR #19759, @kaworu)
* helm: use port 80/443 by default for the peer service (Backport PR #20111, Upstream PR #19933, @rolinh)
* Improve Cilium DNS Proxy-related error metrics (Backport PR #19858, Upstream PR #19702, @christarazi)
* ipcache: Error out from InjectLabels if Checker is nil (Backport PR #19966, Upstream PR #19887, @jrajahalme)
* k8s: Update libraries to v1.23.5 (#19245, @nathanjsweet)
* metrics: Fix NaN value for cilium metrics list CLI (Backport PR #20111, Upstream PR #19987, @sayboras)
* Optimize CIDR label functions (Backport PR #20111, Upstream PR #19843, @christarazi)
* pkg/fqdn: Replace remaining usages of regex compile with LRU (Backport PR #20111, Upstream PR #19875, @christarazi)
* Templatize helm template image references (Backport PR #20189, Upstream PR #20066, @joestringer)
* Use FQDN regex LRU everywhere (Backport PR #19858, Upstream PR #19632, @christarazi)
* v1.11: Update Go to 1.17.10 (#19776, @tklauser)
* v1.11: Update Go to 1.17.11 (#20063, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.5 (#19840, @joestringer)
* v1.11: Pick up the latest cilium-cli for kind conformance test (#19889, @michi-covalent)
* v1.11: tests-l4lb: Use Helm chart from local branch (#20003, @jibi)
* workflow: l4lb: pass correct path for PR checkout (#20009, @jibi)
## v1.11.5
Summary of Changes
------------------
**Minor Changes:**
* datapath: Allow egress GW with XDP (Backport PR #19671, Upstream PR #19587, @brb)
* hubble/relay: Make the Hubble Peer service available by making it a Kubernetes service to eliminate the need to share a local Unix domain socket between a privileged pod (cilium daemon) and an unprivileged one (hubble-relay). (Backport PR #19752, Upstream PR #18620, @nathanjsweet)
* k8s: keep KVStore CiliumNode labels synced with Node object (Backport PR #19481, Upstream PR #19375, @jibi)
* metrics: Add go_* metrics (Backport PR #19585, Upstream PR #19153, @chancez)
**Bugfixes:**
* Add missing packet trace for some non-NodePort SNAT egress (Backport PR #19752, Upstream PR #19158, @YutaroHayakawa)
* clustermesh-apiserver: fixed nil pointer dereference (Backport PR #19752, Upstream PR #18957, @abocim)
* Fatal when IPv6 is enabled but corresponding kernel modules are missing (Backport PR #19481, Upstream PR #18941, @vadorovsky)
* Fix drop for packets sent via AF_PACKET + mmap ring buffer in pod (Backport PR #19481, Upstream PR #19308, @liuyuan10)
* Fixed Cilium agent regression causing a crash due to ipcache controller being scheduled too soon. (Backport PR #19573, Upstream PR #19501, @jrajahalme)
* Improve garbage collection for resources allocated by ToFQDNs policy for services which rotate IP addresses frequently such as Amazon S3 (Backport PR #19585, Upstream PR #19452, @joestringer)
* operator: Add cilium node garbage collector (Backport PR #19752, Upstream PR #19576, @sayboras)
* operator: fix identity GC collection (Backport PR #19671, Upstream PR #19649, @aanm)
* Use identity labels for selector matching for Egress NAT Gateway (Backport PR #19481, Upstream PR #19194, @blzhao-0)
**CI Changes:**
* jenkinsfiles: add `IMAGE_REGISTRY` env parameter (Backport PR #19519, Upstream PR #19459, @nbusseneau)
* jenkinsfiles: Increase VM boot timeout (Backport PR #19481, Upstream PR #19458, @pchaigno)
**Misc Changes:**
* add robots.txt to Cilium documentation (Backport PR #19585, Upstream PR #19578, @aanm)
* build(deps): bump actions/checkout from 3.0.1 to 3.0.2 (#19538, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.10.0 to 3 (#19729, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.1 to 2 (#19731, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 (#19618, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 (#19730, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.2.0 to 2 (#19732, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.8 to 2.1.9 (#19600, @dependabot[bot])
* daemon, fqdn: Add flag to control FQDN regex LRU size (Backport PR #19671, Upstream PR #19383, @christarazi)
* daemon: Initialize k8sCachesSynced channel before calling Initk8sSubsystem() (Backport PR #19573, Upstream PR #19626, @jrajahalme)
* docs: fix version warning URL to point to docs.cilium.io (Backport PR #19585, Upstream PR #19563, @aanm)
* docs: improve description for session affinity with KPR (Backport PR #19519, Upstream PR #19478, @julianwiedmann)
* docs: improve guide to setup Cilium overlay on EKS (Backport PR #19481, Upstream PR #19207, @oliwave)
* docs: move sitemap-index.xml to static directory (Backport PR #19752, Upstream PR #19681, @aanm)
* docs: set right path for robots.txt (Backport PR #19671, Upstream PR #19638, @aanm)
* docs: set the right url for API version check (Backport PR #19671, Upstream PR #19610, @aanm)
* docs: Update max MTU value for Nodeport XDP on AWS (Backport PR #19671, Upstream PR #19593, @qmonnet)
* identity: Initialize local identity allocator early (Backport PR #19573, Upstream PR #19556, @jrajahalme)
* images/cilium: remove cilium group from Dockerfile (Backport PR #19752, Upstream PR #19711, @aanm)
* LRP minor improvements (Backport PR #19519, Upstream PR #19489, @aditighag)
* make: check that Go major/minor version matches required version (Backport PR #19585, Upstream PR #19528, @tklauser)
* pkg/bpf: add map name in error message for OpenParallel (Backport PR #19519, Upstream PR #19491, @aanm)
* pkg/k8s: use subresource "nodes/status" to update node annotations (Backport PR #19673, Upstream PR #19590, @aanm)
* pkg/labels: Optimize SortedList() and FormatForKVStore() (Backport PR #19671, Upstream PR #19423, @christarazi)
* pkg/policy/api: Optimize FQDNSelector String() (Backport PR #19671, Upstream PR #19570, @christarazi)
* Removes any log swallowing that was occuring on daemon/cmd init (Backport PR #19671, Upstream PR #19188, @ldelossa)
* test/upgrade: use the unreleased helm chart of stable branches (Backport PR #19752, Upstream PR #19710, @aanm)
* Trimmed down Cilium's Cluster Roles to only the necessary rules (Backport PR #19673, Upstream PR #19074, @aanm)
* v1.11: images/runtime: update CNI plugins to 1.1.1 (#19691, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.4 (#19476, @joestringer)
## v1.11.4
Summary of Changes
------------------
**Minor Changes:**
* k8s: keep CiliumNode labels synced with Node object (Backport PR #19277, Upstream PR #18609, @jibi)
* Locally allocated identities are now restored during restart, helping avoid transient drops due to identity changes in policies. (Backport PR #19403, Upstream PR #19360, @jrajahalme)
**Bugfixes:**
* bpf: Fix maglev hash with hostServices.hostNamespaceOnly (Backport PR #19277, Upstream PR #18336, @ysksuzuki)
* clustermesh: Correct shared service annotation behaviour (Backport PR #19277, Upstream PR #19042, @sayboras)
* cmd: Fix issue where a ConfigMap value of `{}` was parsed as `map["{}":""]`. (Backport PR #19277, Upstream PR #19172, @gandro)
* Fix a bug where a backend pod can be selected by a local redirect policy deployed in a different namespace if the local redirect policy was deployed first. (Backport PR #19277, Upstream PR #19193, @aditighag)
* Fix bug that would cause some pod traffic to leave through the wrong interface if --aws-release-excess-ips is used and masquerading disabled. (Backport PR #19277, Upstream PR #19162, @pchaigno)
* Fix bug where the 'ipcache-inject-labels' controller constantly fails in non-Kubernetes environments (Backport PR #19277, Upstream PR #19165, @christarazi)
* Fix bug where the Cilium DNS proxy slows down significantly (and even OOMs) due to lock contention from spawning many goroutines when handling bursty DNS traffic (Backport PR #19418, Upstream PR #19336, @nebril)
* Fix log rotation of compressed logs (Backport PR #19277, Upstream PR #19152, @chancez)
* Fixed node init in RKE (Backport PR #19418, Upstream PR #19286, @raphink)
* helm: Update Clustermesh-APIServer RBAC permissions for platforms (like Openshift) that have the OwnerReferencesPermissionEnforcement admission controller enabled. (Backport PR #19277, Upstream PR #19071, @nathanjsweet)
* Improve endpoint and DNS proxy lock contention during bursty DNS traffic (Backport PR #19418, Upstream PR #19347, @christarazi)
* Improve reliably of faulty connections for kube-apiservers behind a LB.
Reduce the number of connections to kube-apiserver by 6 for each cilium-agent. (Backport PR #19330, Upstream PR #19259, @aanm)
* install/kubernetes: fix hubble-ui with TLS (Backport PR #19418, Upstream PR #19338, @aanm)
* metallb: fix SIGSEGV error when Service resource is deleted. (Backport PR #19277, Upstream PR #19249, @Inode1)
* Update the 'refresh period' formatting in readme and doc (Backport PR #19418, Upstream PR #19205, @dongwangdw)
* wireguard: Reject duplicate public keys (Backport PR #19418, Upstream PR #19344, @gandro)
**CI Changes:**
* jenkinsfiles: Update calls to Quay API (Backport PR #19277, Upstream PR #19229, @pchaigno)
* test: Don't redeploy in AfterAll of K8sServices test case (Backport PR #19277, Upstream PR #18869, @brb)
* test: Flush CT tables after L7 proxy tests in K8sServices (Backport PR #19277, Upstream PR #18857, @brb)
* Use docker manifest inspect to wait for images instead of using quay API (Backport PR #19330, Upstream PR #19307, @YutaroHayakawa)
* workflows: Update call to Quay API (Backport PR #19277, Upstream PR #19228, @pchaigno)
**Misc Changes:**
* add 'refreshPeriod' to spelling wordlist (Backport PR #19418, Upstream PR #19394, @aanm)
* Add a 'Limitations' section to 'External Workloads'. (Backport PR #19418, Upstream PR #19366, @bmcustodio)
* add context when return errors during datapath initialization (Backport PR #19277, Upstream PR #18011, @kerthcet)
* Bpf fix conditional compilation (Backport PR #19277, Upstream PR #19104, @jrajahalme)
* build(deps): bump actions/cache from 3.0.0 to 3.0.1 (#19268, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.1 to 3.0.2 (#19389, @dependabot[bot])
* build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#19447, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.1.5 to 2.1.6 (#19270, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.6 to 2.1.7 (#19343, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.7 to 2.1.8 (#19374, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.1 to 1.5.2 (#19325, @dependabot[bot])
* build(deps): bump library/alpine from 3.12.7 to 3.15.4 in /images/cache (#19414, @dependabot[bot])
* ci: Pin down image for the documentation workflow (Backport PR #19418, Upstream PR #19356, @qmonnet)
* docs: Clarify use of the `eni.subnetTagsFilter` option (Backport PR #19330, Upstream PR #19276, @gandro)
* docs: Update shared service annotation docs (Backport PR #19418, Upstream PR #19313, @sayboras)
* envoy: Limit accesslog socket permissions (Backport PR #19418, Upstream PR #19190, @jrajahalme)
* ipcache: Add test asserting out-of-order Kubernetes events (Backport PR #19330, Upstream PR #19258, @christarazi)
* k8s: Use kubelet's logic to close all idle connections (Backport PR #19330, Upstream PR #19290, @christarazi)
* logo: fix position of central polygon (Backport PR #19277, Upstream PR #19216, @sisp)
* Test runtime cilium in container (take two) (Backport PR #19403, Upstream PR #19310, @jrajahalme)
* test: Fix whitespace in docker-run-cilium (Backport PR #19403, Upstream PR #19358, @jrajahalme)
* v1.11: Update Go to 1.17.9 (#19445, @tklauser)
* vendor: pull in the latest changes from github.com/vishvananda/netlink (Backport PR #19403, Upstream PR #18618, @aditighag)
* wireguard: Fix invalid bits when agent init (Backport PR #19277, Upstream PR #19118, @Junnplus)
**Other Changes:**
* install: Update image digests for v1.11.3 (#19240, @aanm)
## v1.11.3
Summary of Changes
------------------
**Minor Changes:**
* Adds support to connect Clustermesh clusters through Helm Chart. (Backport PR #19142, Upstream PR #17851, @samueltorres)
* docs: update Azure Service Principal / IPAM documentation (Backport PR #19142, Upstream PR #18891, @nbusseneau)
* Fixes L7 policies with Azure CNI chaining. (Backport PR #19142, Upstream PR #19088, @nitishm)
**Bugfixes:**
* Add missing & fix wrong traces for IPSec + overlay receive path (Backport PR #18905, Upstream PR #18731, @YutaroHayakawa)
* Avoid deleting in-use program arrays in bpf_load() and bpf_load_cgroups() in init.sh (Backport PR #19066, Upstream PR #18985, @ti-mo)
* Cilium monitor now correctly reports security identities for L7 flows. (Backport PR #19142, Upstream PR #18783, @jrajahalme)
* Clarify taint effects in the documentation. (Backport PR #19237, Upstream PR #19186, @bmcustodio)
* clustermesh: fix: identities allocation range (Backport PR #19142, Upstream PR #19076, @abocim)
* clustermesh: Modify shared-service annotation after creation (Backport PR #18905, Upstream PR #18766, @sayboras)
* datapath/config: Fix L2 addr retrieval (Backport PR #19142, Upstream PR #19081, @brb)
* Fix 'node-init' in GKE's 'cos' images. (Backport PR #19142, Upstream PR #19017, @bmcustodio)
* Fix a bug where Cilium would constantly create network interfaces if IPAM limits are reached (Backport PR #19142, Upstream PR #18975, @michi-covalent)
* Fix bug where FQDN policy calculation could trigger a deadlock in cilium-agent (Backport PR #19142, Upstream PR #19031, @joestringer)
* Fix bug where unnecessary ipset was created and populated in tunneling mode with iptables masquerading. (Backport PR #18905, Upstream PR #18788, @pchaigno)
* Fix concurrency issue while waiting for node-init DaemonSet to be ready (Backport PR #19142, Upstream PR #18897, @aanm)
* Fix connectivity outage periods with ENI IPAM mode and IPsec enabled when nodes are deleted from the cluster (Backport PR #18905, Upstream PR #18827, @christarazi)
* Fix IPsec in Azure's IPAM mode (Backport PR #19142, Upstream PR #18911, @pchaigno)
* Fix issue where StatefulSet pod restarts could trigger persistent connectivity issues for the pods due to overzealous CiliumEndpoint resource removal by cilium-agent instances (Backport PR #19142, Upstream PR #18864, @timoreimann)
* Fix support of BPF-based HostPort on init containers. (Backport PR #18905, Upstream PR #18725, @pchaigno)
* Fixed a bug where deleted identities would remain in BPF policy maps. (Backport PR #19142, Upstream PR #19005, @jrajahalme)
* helm: Removed unnecessary Kubernetes RBAC permissions for cilium-agent (Backport PR #19142, Upstream PR #19053, @nathanjsweet)
* hubble: Added nil check in filterByTCPFlags() to avoid segfault (Backport PR #19142, Upstream PR #18877, @wazir-ahmed)
**CI Changes:**
* jenkinsfiles: bump runtime tests VM boot timeout (Backport PR #19142, Upstream PR #18886, @nbusseneau)
* test: Wait until host EP is ready (=regenerated) (Backport PR #18905, Upstream PR #18859, @brb)
**Misc Changes:**
* Add support for Amazon EC2 c7g instances (Backport PR #19142, Upstream PR #18708, @otterley)
* bpf: Remove DNS quirk for monitor aggregation (Backport PR #19142, Upstream PR #19108, @borkmann)
* build(deps): bump actions/cache from 2.1.7 to 3 (#19212, @dependabot[bot])
* build(deps): bump actions/checkout from 2.4.0 to 3 (#18997, @dependabot[bot])
* build(deps): bump actions/download-artifact from 2.1.0 to 3 (#19011, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.2.0 to 3 (#18966, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.3.1 to 3 (#19029, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 (#19150, @dependabot[bot])
* build(deps): bump docker/login-action from 1.13.0 to 1.14.0 (#18963, @dependabot[bot])
* build(deps): bump docker/login-action from 1.14.0 to 1.14.1 (#18998, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.1.2 to 1.1.3 (#18931, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.1.3 to 1.1.4 (#19085, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.1.4 to 1.1.5 (#19161, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3 (#18948, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3.1.0 (#18961, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.0 to 1.5.1 (#18947, @dependabot[bot])
* docs: fix tip about opening the Hubble server port on all nodes (Backport PR #19142, Upstream PR #19036, @rolinh)
* docs: Remove trailing step in AWS helm install (Backport PR #18905, Upstream PR #18893, @joestringer)
* helm: Enable offline deployments for OpenShift clusters (Backport PR #19142, Upstream PR #18849, @nathanjsweet)
* Makefile: Fix TESTPKGS commandline (Backport PR #19142, Upstream PR #19100, @joestringer)
* pkg/maps: Fix data races around accessing nat maps (Backport PR #19142, Upstream PR #18952, @aditighag)
* v1.11: Update Go to 1.17.8 (#19059, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.2 (#18927, @joestringer)
* v1.11 backport: manual backport of "Recommend 'NoExecute' instead of 'NoSchedule'" (#19143, @bmcustodio)
* v1.11 backport: manual backport of "test: Restructure k8sT/Services.go" (#18881, @brb)
* v1.11: Update Cilium runtime dependencies (#19179, @joestringer)
## v1.11.2
Summary of Changes
------------------
**Minor Changes:**
* Allow using install-no-conntrack-iptables-rules when all masquerading is disabled. (Backport PR #18569, Upstream PR #18482, @pchaigno)
* Cilium images can now be built also on arm64. (Backport PR #18569, Upstream PR #17980, @jrajahalme)
* daemon: Allow to enable PCAP recorder in non-lb mode (Backport PR #18630, Upstream PR #18592, @brb)
* helm: Add values for custom service monitor annotations (Backport PR #18780, Upstream PR #18681, @michi-covalent)
* metrics: Expose xfrm stats in prometheus metrics (Backport PR #18630, Upstream PR #18553, @sayboras)
**Bugfixes:**
* Add missing source identity to drop notifications during encryption with native routing mode (Backport PR #18726, Upstream PR #18682, @YutaroHayakawa)
* Also take secondary CIDRs into account when checking for validity of IPv4NativeRoutingCIDR (Backport PR #18780, Upstream PR #18653, @codablock)
* Cilium host proxy is updated to Envoy release 1.21.1 (Backport PR #18888, Upstream PR #18899, @jrajahalme)
* clustermesh-apiserver: fix cmd-line args processing (Backport PR #18726, Upstream PR #18277, @abocim)
* cmd: Fix issue reading string map type via config map (Backport PR #18726, Upstream PR #18478, @sayboras)
* daemon: Fix missing errors in KPR init (Backport PR #18630, Upstream PR #18499, @brb)
* datapath: Only unload obsolete XDP when attached (Backport PR #18669, Upstream PR #18636, @jaffcheng)
* Fix `bpf lb maglev list` command when ipv4 or ipv6 Maglev lookup tables are empty (Backport PR #18630, Upstream PR #18469, @ti-mo)
* Fix a bug with local redirect policies selecting host networked pods as local endpoints not taking effect. (Backport PR #18726, Upstream PR #18563, @aditighag)
* Fix BPF attachment when bandwidth manager is enabled without host firewall or kube-proxy-replacement. (Backport PR #18780, Upstream PR #18717, @pchaigno)
* Fix bug where Cilium drops traffic from remote nodes in etcd mode, despite policy that allows the traffic (Backport PR #18800, Upstream PR #18777, @joestringer)
* Fix bug where Hubble flows report that a packet is both forwarded and dropped by host firewall. It will now only report the drop. (Backport PR #18630, Upstream PR #18484, @YutaroHayakawa)
* Fix incorrect packet trace for encrypted packets received from the network (Backport PR #18726, Upstream PR #18643, @YutaroHayakawa)
* Fix kube-apiserver policy matching feature with tunneling enabled (Backport PR #18669, Upstream PR #18527, @christarazi)
* Fix the bug that ipsec packets bypass the <- stack trace after encryption (Backport PR #18669, Upstream PR #18608, @YutaroHayakawa)
* hubble/recorder: Sanitize pcap filename (Backport PR #18669, Upstream PR #18612, @gandro)
* labelfilter: Refine default label regexps (Backport PR #18726, Upstream PR #18693, @twpayne)
* monitor: Output non-trace messages to stderr (Backport PR #18630, Upstream PR #18479, @YutaroHayakawa)
* node: Don't skip masquerading for External node IPs (Backport PR #18630, Upstream PR #18483, @pchaigno)
* Preserve tail call maps during resize to prevent drops during agent upgrade (Backport PR #18800, Upstream PR #17744, @ti-mo)
* Prevent unmanaged pods in GKE's containerd flavors.
*Important:* Users should update their node taints from `node.cilium.io/agent-not-ready=true:NoSchedule` to `node.cilium.io/agent-not-ready=true:NoExecute`.
*Important:* During the first node reboot after the fix is applied pods may still get IPs from the default CNI as cilium-node-init is only run later in the node startup process. The fix will then be in place for all subsequent reboots. (Backport PR #18726, Upstream PR #18486, @bmcustodio)
* route: sort by priority to identify the default one (Backport PR #18630, Upstream PR #18564, @jibi)
* Skip node ipset updates if iptables masquerading is disabled (Backport PR #18800, Upstream PR #17871, @pchaigno)
**CI Changes:**
* ci: fix QEMU image build following Google Cloud SDK updates (Backport PR #18780, Upstream PR #18720, @nbusseneau)
* ci: remove box download timeout in upstream tests (Backport PR #18726, Upstream PR #18707, @nbusseneau)
* Enable CI for feature branches (Backport PR #18630, Upstream PR #18554, @jibi)
* Fix EncryptStatusSuite.TestCountUniqueIPsecKeys (Backport PR #18569, Upstream PR #18506, @tklauser)
* Set debug.verbose to "flow" as a default for all CI runs (Backport PR #18509, Upstream PR #18431, @christarazi)
* test/runtime: fix flake on non-ready endpoints (Backport PR #18669, Upstream PR #18627, @tklauser)
* test: cleanup Services test suite (Backport PR #18726, Upstream PR #18655, @brb)
* test: Fix pod cleanup after various tests (Backport PR #18669, Upstream PR #18448, @joestringer)
* test: Move service-proxy-name to unit test (Backport PR #18726, Upstream PR #18679, @brb)
* test: Move some Services test cases to separate suites (Backport PR #18726, Upstream PR #18684, @brb)
**Misc Changes:**
* Alibabacloud fixes (Backport PR #18836, Upstream PR #18762, @jaffcheng)
* build(deps): bump actions/setup-go from 2.1.5 to 2.2.0 (#18755, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#18691, @dependabot[bot])
* build(deps): bump docker/login-action from 1.12.0 to 1.13.0 (#18839, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.28 to 1.0.30 (#18601, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.30 to 1.0.31 (#18690, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.31 to 1.0.32 (#18739, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.32 to 1.1.0 (#18786, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.1.0 to 1.1.2 (#18853, @dependabot[bot])
* byteorder: use native instructions in host/network order conversion (Backport PR #18630, Upstream PR #18606, @tklauser)
* Cilium host proxy is updated to Envoy release 1.21.0 (Backport PR #18888, Upstream PR #18748, @jrajahalme)
* contrib: Fix backport submission for own PRs (Backport PR #18569, Upstream PR #17988, @joestringer)
* contrib: Fix release script helm value generation (Backport PR #18630, Upstream PR #18538, @joestringer)
* daemon: Init k8s watchers after setting agent flags (Backport PR #18800, Upstream PR #18770, @pchaigno)
* datapath: Change FIB lookups to enable NodePort multihoming (Backport PR #18669, Upstream PR #18585, @brb)
* doc: getting started minor fixes (Backport PR #18569, Upstream PR #18024, @kaworu)
* docs: add Hands-on tutorial (Backport PR #18726, Upstream PR #18583, @vannyle)
* docs: disable k3s network policy enforcement (Backport PR #18726, Upstream PR #18671, @tklauser)
* docs: Document required kernel configuration options (Backport PR #18630, Upstream PR #18546, @pchaigno)
* docs: Don't mark pre-upgrade step as "recommended" (Backport PR #18569, Upstream PR #18468, @pchaigno)
* docs: Don't rely on `assignee` filter for reviews (Backport PR #18726, Upstream PR #18676, @pchaigno)
* docs: export KUBECONFIG for cilium-cli with k3s (Backport PR #18726, Upstream PR #18697, @tklauser)
* docs: Fix incorrect values for hubble-ui standalone install (Backport PR #18800, Upstream PR #18661, @ysksuzuki)
* docs: Minor updates to IPsec limitations (Backport PR #18669, Upstream PR #18647, @pchaigno)
* docs: Update clustermesh example verification steps (Backport PR #18780, Upstream PR #18764, @sayboras)
* helm: Update links in values.yaml (Backport PR #18569, Upstream PR #18471, @sayboras)
* iptables: Fix race condition on ipset removal (Backport PR #18836, Upstream PR #18790, @pchaigno)
* k8s: Update libraries to 1.23.3 (Backport PR #18780, Upstream PR #18633, @christarazi)
* node: Fix bug where node ipsets are never cleaned (Backport PR #18630, Upstream PR #18582, @pchaigno)
* update k8s library versions (#18587, @aanm)
* v1.11: Update Go to 1.17.7 (#18797, @tklauser)
**Other Changes:**
* install: Update image digests for v1.11.1 (#18539, @joestringer)
* v1.11: Update Cilium base images (#18876, @joestringer)
## v1.11.1
Summary of Changes
------------------
**Bugfixes:**
* bgp,bugfix: parse ips when converting from slim\_core to k8s service (Backport PR #18488, Upstream PR #18358, @ldelossa)
* bpf: egressgw: sync logic to determine if destination is outside cluster (Backport PR #18418, Upstream PR #18246, @jibi)
* daemon: Fix KPR init finalisation (Backport PR #18418, Upstream PR #18304, @brb)
* daemon: Fix multi-dev XDP check (Backport PR #18364, Upstream PR #18305, @brb)
* egressgateway: fix initial reconciliation (Backport PR #18418, Upstream PR #18325, @jibi)
* identity: fix incorrect maximum identity when ClusterID > 0 (Backport PR #18232, Upstream PR #18148, @ArthurChiao)
* Fix an issue where the tunnel map sync controller causes errors even though tunneling is disabled. (Backport PR #18275, Upstream PR #18247, @tklauser)
* Fix crash on startup if proxy is disabled (Backport PR #18275, Upstream PR #18198, @chaosbox)
* Fix deadlock with kube-apiserver policy matching feature (Backport PR #18418, Upstream PR #18343, @codablock)
* Fix for a bug where unused IPs on the node cannot be allocated when IP release handshake is enabled. Adds support for aborting IP release, if the node doesn't have excess anymore. (Backport PR #18418, Upstream PR #18330, @hemanthmalla)
* Fix for data race in IP release features (Backport PR #18232, Upstream PR #18217, @hemanthmalla)
* Fix for excess IP release race condition. New operator flag excess-ip-release-delay is introduced to control waiting period before marking an IP for release. (Backport PR #18232, Upstream PR #17939, @hemanthmalla)
* Fix possible IP leak in case ENI's are not present in the CN yet (Backport PR #18418, Upstream PR #18352, @codablock)
* Fix TCP connectivity issues in the DSR mode when conntrack entries with missing DSR flag are reused. (Backport PR #18275, Upstream PR #18041, @Inode1)
* helm: Fix Helm template for externalWorkloads (Backport PR #18275, Upstream PR #18206, @gandro)
* hubble: Fix misclassification of `to-network` reply packets (Backport PR #18275, Upstream PR #18196, @gandro)
* Improvements to excess IP release handshake (Backport PR #18364, Upstream PR #18296, @hemanthmalla)
* policy: Fix selector identity release for FQDN (Backport PR #18232, Upstream PR #18166, @joestringer)
**CI Changes:**
* Add basic kube-apiserver policy matching e2e test (Backport PR #18464, Upstream PR #18333, @christarazi)
* ci: Require cluster-wide connectivity before running tests (Backport PR #18275, Upstream PR #18153, @gandro)
* ci: use python3 instead of python (Backport PR #18444, Upstream PR #18443, @nebril)
* test/helpers: fix kubectl version detection for RCs (Backport PR #18232, Upstream PR #18133, @tklauser)
* test: Add Error Log Exceptions (Backport PR #18232, Upstream PR #18117, @nathanjsweet)
* test: bump l4lb Vagrantfile kind to 0.11.1 (Backport PR #18418, Upstream PR #18370, @jibi)
* test: Use stable image tag for Graceful termination test (Backport PR #18232, Upstream PR #18208, @aditighag)
* test: use stable zookeeper image (Backport PR #18232, Upstream PR #18186, @tklauser)
* v1.11 ci: set PR base for codeql workflow (#18368, @tklauser)
* workflows: Run CodeQL workflow is the workflow is edited (Backport PR #18232, Upstream PR #17982, @pchaigno)
**Misc Changes:**
* .github: add parameter to allow for image suffix (Backport PR #18232, Upstream PR #18200, @aanm)
* Adds missing lock for cesTracker operation (Backport PR #18418, Upstream PR #18055, @Weil0ng)
* bpf: Reset Pod's queue mapping in host veth to fix phys dev mq selection (Backport PR #18418, Upstream PR #18388, @borkmann)
* build(deps): bump 8398a7/action-slack from 3.12.0 to 3.13.0 (#18427, @dependabot[bot])
* build(deps): bump actions/download-artifact from 2.0.10 to 2.1.0 (#18161, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.1.4 to 2.1.5 (#18319, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.2.4 to 2.3.0 (#18164, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.3.0 to 2.3.1 (#18264, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#18521, @dependabot[bot])
* build(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#18310, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.23 to 1.0.26 (#18244, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.26 to 1.0.27 (#18450, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.27 to 1.0.28 (#18531, @dependabot[bot])
* Changed the documentation for Kubespray installation to recommend using `-e` flag for `cilium_version` variable instead of editing the role variables. (Backport PR #18418, Upstream PR #18342, @necatican)
* Clarify identity generated from CIDR-based policies and add security identity internal docs (Backport PR #18444, Upstream PR #16716, @christarazi)
* codeowners: update for v1.11 backports (#18249, @nbusseneau)
* docs: Document the kube-apiserver entity (Backport PR #18444, Upstream PR #18396, @christarazi)
* docs: Fix `first-interface-index` documentation (Backport PR #18418, Upstream PR #18327, @gandro)
* docs: Fix incorrect mention of `bpf.masquerade`'s default value (Backport PR #18444, Upstream PR #18420, @pchaigno)
* docs: fix link to signoff / certificate of origin section (Backport PR #18232, Upstream PR #18123, @timoreimann)
* docs: fix small spelling mistakes in masquerading pages (Backport PR #18418, Upstream PR #18338, @yanhongchang)
* docs: Remove incorrect beta note for host policies (Backport PR #18488, Upstream PR #18470, @pchaigno)
* docs: Replace 'micro version' with 'patch version' (Backport PR #18364, Upstream PR #18279, @pchaigno)
* docs: Replace janitors team with tophat team (Backport PR #18444, Upstream PR #18430, @pchaigno)
* docs: Update the kind documentation with cgroup requirements (Backport PR #18418, Upstream PR #18269, @aditighag)
* docs: Update the minimum required Minikube version (Backport PR #18232, Upstream PR #18155, @pchaigno)
* docs: Warn against Helm's `--reuse-values` in Cilium upgrades (Backport PR #18275, Upstream PR #18259, @gandro)
* Fix helm chart annotations for CRDs installed by Cilium (Backport PR #18364, Upstream PR #18141, @joestringer)
* install: Fix hubble-ui image references (Backport PR #18232, Upstream PR #18209, @joestringer)
* k8s: Fix CRD schema version for v2alpha1 (Backport PR #18275, Upstream PR #18215, @joestringer)
* k8s: update libraries to v1.23.0 (Backport PR #18275, Upstream PR #18190, @aanm)
* Makefile: Add kind-image target (Backport PR #18232, Upstream PR #17990, @joestringer)
* Makefile: Push image in 'kind-image' target (Backport PR #18232, Upstream PR #18167, @joestringer)
* release: Generate helm values docs (Backport PR #18232, Upstream PR #18137, @joestringer)
* Revert "test/Services: Quarantine 'Checks service on same node'" (Backport PR #18232, Upstream PR #18170, @borkmann)
* Stablize kube-apiserver policy matching feature, namely by fixing unncessary identity churn when kube-apiserver is running outside of the cluster (Backport PR #18390, Upstream PR #18150, @christarazi)
* ui: v0.8.5 (Backport PR #18232, Upstream PR #18203, @geakstr)
* Update aws-sdk-go-v2 to support m6a c6i im4gn is4gen g5g g5 EC2 instances types (Backport PR #18275, Upstream PR #18220, @ese)
* v1.11: images: update gops binary in images to v0.3.22 (#18176, @tklauser)
* v1.11: Update Go to 1.17.4 (#18129, @tklauser)
* v1.11: Update Go to 1.17.5 (#18225, @tklauser)
* v1.11: Update Go to 1.17.6 (#18416, @tklauser)
* vendor: Promote controller-tools fork to cilium repo (Backport PR #18364, Upstream PR #18185, @christarazi)
**Other Changes:**
* .github: Tag new v1.11 releases with stable tag (#18271, @joestringer)
* install: Update image digests for v1.11.0 (#18136, @joestringer)
* v1.11: CODEOWNERS: janitors renamed to tophat (#18361, @pchaigno)
* v1.11: Update dependencies in cilium-runtime image (#18492, @joestringer)
## v1.11.0
Summary of Changes
------------------
**Major Changes:**
* Add K8s Service Topology Aware Hints (Backport PR #18027, Upstream PR #17929, @brb)
* Add support for k8s 1.23.0 (Backport PR #18027, Upstream PR #18008, @aanm)
* Cilium Istio integration is updated to Istio release 1.9.6. (#16766, @jrajahalme)
* doc: New performance benchmarks and tuning guide (#15943, @tgraf)
* Enable CiliumEndpointSlice feature (#17658, @krishgobinath)
* policy: Add ICMP and ICMPv6 support for CNP and CCNP with a feature flag (#16516, @chez-shanpu)
* Provide new installation steps to deploy Cilium in managed kubernetes providers (GKE, EKS, AKS) to allow scale up and down node pools. (#16631, @aanm)
* Support policy matching against kube-apiserver (#17823, @joestringer)
**Minor Changes:**
* `allow-any-ingress` and `allow-remotehost-ingress` are now used instead of `allow-localhost-ingress` in policy rule `derivedFrom` list when appropriate. (#16972, @jrajahalme)
* Add flag to list all available configurations (#17303, @h3llix)
* Add Helm option to disable registering CRD from Cilium Operator (#15655, @Fedosin)
* Add validation of agent flag values for ConfigMap (#16014, @romanspb80)
* Add WireGuard status to cilium encrypt. (#17684, @h3llix)
* Add workload name and workload kind to slim api and hubble api (#16514, @sugangli)
* Adds new Cilium subcommand: `cilium encrypt status` and `cilium encrypt flush` (#16770, @h3llix)
* Auto discover ipv6-mcast-device if not provided (#16692, @sarveshr7)
* Auto-detect Azure cloud name via IMDS (#16515, @ungureanuvladvictor)
* Auto-mount bpf file-system from within Cilium DaemonSet and remove the requirement of having it mounted in the host. (#16656, @aanm)
* AWS eni: Support Instance Metadata Service Version 2 (IMDSv2) (#15828, @Smana)
* bpf: Derive host netns cookie via SO_NETNS_COOKIE (#17018, @brb)
* Cilium Istio integration is updated to Istio release 1.10.3. (#17037, @jrajahalme)
* cilium: Improve user experience of policy trace with regard to port a… (#15929, @Maddy007-maha)
* cilium: Make CLI more graceful on environments with IPv6 disabled (#16168, @Maddy007-maha)
* cleanup helm chart (#16896, @dungdm93)
* crd: Add categories for cilium CRDs (#17162, @sayboras)
* daemon: Add option --bpf-lb-external-clusterip (#15650, @joamaki)
* daemon: Add wildcard support to --devices ("eth+") (#15697, @joamaki)
* daemon: make consecutive quorum errors threshold configurable (#16885, @ArthurChiao)
* daemon: Make L2 neighbor discovery configurable. (#16974, @bjhaid)
* datapath,daemon: Enable multi-dev XDP (#17655, @brb)
* datapath: Add a flag to set VXLAN and Geneve ports (#16874, @errordeveloper)
* datapath: Add a new option to skip socket lb when in pod ns (#17154, @brb)
* datapath: optionally disable SIP verification (#16134, @oblazek)
* Detect devices from global unicast routes in addition to only looking for the device with the Kubernetes Node IP and the one with default route. This expands the set of devices used for kube-proxy replacement, host firewall and bandwidth manager and should reduce the need to specify devices manually. (#17219, @joamaki)
* Display host firewall status in `cilium status` (#17165, @pchaigno)
* doc: Add more generic install section for egress gateway guide (#16087, @tgraf)
* doc: Reword some results (#15955, @tgraf)
* doc: Update diagrams in benchmark report (#16063, @tgraf)
* docs: Remove firewall hack for OKD GSG (#17924, @errordeveloper)
* docs: Revert host firewall to beta for kube-proxy setups (#16149, @pchaigno)
* Envoy is updated to release 1.18.3 (#17024, @jrajahalme)
* Extend `cilium config` to expose all active configurations. Add subcommand `cilium config get` to get configurations from CLI (#16519, @h3llix)
* feat: allow installing hubble ui as standalone (#17473, @eddycharly)
* feat: generate tls certs for ui on helm install (#16601, @yandzee)
* Fixes connectivity issues when kube-proxy replacement is enabled, caused by ineffective socket based load balancing (aka host reachable services) in the private cgroup namespace mode of container runtimes (e.g., docker cgroupv2 configuration). (#16259, @aditighag)
* health: Add flag to set HTTP port (#16926, @errordeveloper)
* helm: add back 'wellKnownIdentities' (#16142, @bmcustodio)
* helm: Add support for disable-endpoint-crd option (#16226, @dntosas)
* helm: Disable BPF masquerading in v1.10+ (#17824, @pchaigno)
* helm: Disable the bandwidth manager by default (#16380, @pchaigno)
* helm: Use `batch/v1` apiVersion for CronJob in K8s 1.21+ (#16635, @gandro)
* HTTP response access logs no longer contain the request headers, except for 'x-request-id', which is still included for request/response correlation purposes. (#16211, @jrajahalme)
* Hubble logs for HTTP responses now include HTTP response headers. (#16013, @jrajahalme)
* hubble/recorder: Extend the API to allow stopping a recording automatically (#16473, @gandro)
* hubble: bump protoc{,-gen-go} and dependencies (#16915, @rolinh)
* hubble: Hubble node_name field should contain cluster name (#15933, @Maddy007-maha)
* images: Bump Hubble CLI to v0.8.0 (#15983, @gandro)
* images: Bump Hubble CLI to v0.9.0 (Backport PR #18119, Upstream PR #18077, @gandro)
* Improve Hubble memory usage and performance on decoding events (#17482, @tklauser)
* install: Disable kube-proxy-replacement by default (#15422, @tgraf)
* Make NodePort BPF to work on VLAN devices (#16772, @kvaster)
* node-neigh: Locking, logging, misc improvements (#15783, @brb)
* option: Rename egress gateway flag to `enable-ipv4-egress-gateway` (#17695, @pchaigno)
* pkg/aws/eni: new subnet-ids parameter (#16119, @mvisonneau)
* Pod L7 visibility annotations are now supported also when policy enforcement is enabled. (#16258, @jrajahalme)
* Pod visibility annotations are now supported for Kafka and other policies implemented via Cilium Go extensions for Envoy. (#16935, @trvll)
* Reduce bugtool memory usage (#17546, @tklauser)
* Remove deprecated --update-ec2-apdater-limit-via-api option (#16374, @twpayne)
* Remove deprecated code (#16502, @pchaigno)
* Rename `hostFirewall` and mark stable (#17221, @pchaigno)
* service: Always allocate higher ID for svc/backend (Backport PR #18119, Upstream PR #18113, @brb)
* Skip iptables masquerading for packets destined to remote nodes (#16603, @pchaigno)
* Store the previous Cilium's configuration options in the host (#16017, @aanm)
* Support advertising Pod CIDRs via BGP (#16525, @christarazi)
* Support EndpointSlices with BGP mode by updating MetalLB to v0.10.0 (#16524, @christarazi)
* Support graceful termination for service load-balancing such that active connections don't break when endpoints are deleted. (#17716, @aditighag)
* Support non-default Azure clouds (#16043, @ungureanuvladvictor)
* Support TLS certificate auto-generation using certmanager (#17238, @dungdm93)
* Use correct tolerations value when deploying cilium-operator via helm. (#15992, @michaelpetrov)
* vendor: Update k8s dependencies and tests to 1.22.0-rc.0 (#16989, @nathanjsweet)
* wireguard: Add fallback to userspace implementation (#17451, @gandro)
* wireguard: Set wireguard and route MTU to detected MTU (#16020, @joamaki)
**Bugfixes:**
* `cluster-pool-ipv4-cidr` and `cluster-pool-ipv6-cidr` options now accept string slices and not just string (#17780, @cndoit18)
* Add '*.mesh.cilium.io' to the list of SANs for the server certificate of 'clustermesh-apiserver'. (#17027, @bmcustodio)
* Additional FQDN selector identity tracking fixes (#17788, @joestringer)
* Adds an `ACCEPT` rule for untracked pkts in `filter:CILIUM_OUTPUT` (#17585, @Weil0ng)
* Adds IPv6 support for generic-veth chaining plugin (#16041, @Weil0ng)
* alibabacloud: fix race (#16175, @l1b0k)
* bpf: exclude pod's reply traffic from egress gateway logic (#17869, @jibi)
* bpf: fix hw_csum issue for icmp probe packets (#16604, @borkmann)
* bpf: fix iptables masquerading for node -> remote pod traffic (#16136, @jibi)
* bug/pkg/health: Fix Nil Address Issue in Node Update Mechanism (#17667, @nathanjsweet)
* bugtool: fix data race occurring when running commands (#17916, @rolinh)
* bugtool: fix IP route debug gathering commands (Backport PR #18076, Upstream PR #18059, @tklauser)
* change log level for `lock failed: endpoint is in the process of being removed` (#16773, @humancalico)
* Cilium Envoy integration is updated to Envoy release 1.18.4 (#17236, @jrajahalme)
* Cilium Istio integration is updated to Istio release 1.10.4 (#17275, @jrajahalme)
* cilium: Encryption EKS 4.14 kernel (default) fixes (#15867, @jrfastab)
* daemon, node: Fix faulty router IP restoration logic (#16672, @christarazi)
* daemon, node: Remove old, discarded router IPs from `cilium_host` (Backport PR #18076, Upstream PR #17762, @christarazi)
* daemon: Ignore cilium_* interfaces when deriving NodePort device (#16104, @eyanulis)
* daemon: require BPF masq to enable --install-no-conntrack-iptables-rules (#16085, @jibi)
* datapath: Do not SNAT replies to outside (#17168, @brb)
* datapath: panic explicitly when IP of direct-routing-device not found (#17064, @ArthurChiao)
* datapath: Use TUNNEL_MODE as indicator for tunnel mode (#16328, @anfernee)
* Define operator feature flags to allow the operator to register related CRDs. (#17772, @pchaigno)
* DNS proxy is now more available during Cilium restarts, including upgrades. (#16391, @jrajahalme)
* Drop a `@` in clustermesh-apiserver helm chart (#15934, @anthr76)
* egress gateway: fix non-tunnel (direct routing) mode (#17517, @kkourt)
* egressgateway: Allow several CENPs with same egress IP (#17773, @pchaigno)
* egressgateway: fix manager logic (Backport PR #18027, Upstream PR #17813, @jibi)
* endpoint: trigger k8s sync controller on identity update (#16381, @jibi)
* eni: Fix Cilium overallocating network interfaces (#15911, @gandro)
* Envoy configuration is fixed to work also when IPv6 is disabled. (#17281, @rock-andy)
* Envoy configuration with `--proxy-prometheus-port` is fixed. (#16834, @jrajahalme)
* Envoy is updated to release 1.17.3 (#16102, @jrajahalme)
* External Workloads service access is enabled again. (#16662, @jrajahalme)
* Fix "unable to update ipcache map entry on pod add" harmless log warnings (#16286, @aanm)
* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (#16084, @pchaigno)
* Fix a crash where user specifies incorrect service name in a local redirect policy config, or policy selected service is added after the policy is added. (#16216, @aditighag)
* Fix aws-cni integration where pods were not being scheduled (#15915, @aanm)
* Fix bug where Cilium allocates a new router (`cilium_host`) IP upon node reboot, breaking connectivity especially with IPsec (#16307, @christarazi)
* Fix bug where IP addresses of devices in unknown state are resolved as remote-node (#17418, @jibi)
* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (#16057, @christarazi)
* Fix bug where the agents would silently skip all IPv6 masquerading due to an incorrect configuration. (#17906, @pchaigno)
* Fix bug where timers used for retries sometimes fired immediately (#16955, @gandro)
* Fix bug where users were unable to use node-selectors in the BGP configuration when using BGP support (#16341, @christarazi)
* Fix bug with Helm chart where a user could not enable BGP and set Operator resources. (#16273, @rkage)
* Fix identity leak via FQDN selectors (#17699, @joestringer)
* Fix incorrect application of egress gateway policy to internal cluster traffic. Require a 5.2 kernel or later for the egress gateway policy feature. (#17639, @kkourt)
* Fix incorrect packet path with IPsec and endpoint routes, which can cause incorrect policy drops. (#17000, @pchaigno)
* Fix issue where generating Hubble certs were broken (#16509, @alex1989hu)
* Fix issue where local host IPs may be briefly associated with the remote-node identity, causing policy drops when policy should allow traffic from the host. (#17836, @joestringer)
* Fix Linux slave interface detection (#17189, @pchaigno)
* Fix memory leak that can occur with the presence of FQDN policies (#17432, @aanm)
* Fix several complexity and program size issues when only one of IPv4/IPv6 is enabled. (#17573, @pchaigno)
* Fix transient policy deny during agent restart (#17115, @jaffcheng)
* Fixed bug causing policy realization being skipped in some scenarios with endpoint identity churn. (#16271, @jrajahalme)
* Fixes a bug where IPv6 pod CIDRs with leading zeros where not supported (#17707, @gandro)
* Fixes an issue which can cause traffic to be dropped when running Cilium in ENI mode due to the presence of iptables rules left over by the AWS VPC CNI plugin. Notable features that could be impacted include the egress gateway functionality. (#17845, @bmcustodio)
* Fixes for IPsec and endpoint routes (#17865, @kkourt)
* Fixes out-of-sycn CEP update (#17001, @Weil0ng)
* helm: Fix operator cloud image digests (Backport PR #18119, Upstream PR #18116, @joestringer)
* helm: Fix patch failure when updating `hubble-generate-certs` (#16373, @gandro)
* helm: upgrade envoy to v1.18.4 for hubble-ui (#17439, @geakstr)
* hubble/recorder: Refactor service implementation to fix multiple races (#16472, @gandro)
* hubble: Display proxy redirects in policy verdict events (#17411, @pchaigno)
* hubble: Never fail with ErrInvalidRead (#17046, @michi-covalent)
* Ignore K8s namespace events that have the same labels (#16268, @aanm)
* install: Allow setting enable-health-check-nodeport to 'false' (#16323, @dctrwatson)
* ipam/crd: Fix spurious "Unable to update CiliumNode custom resource" failures in cilium-agent (Backport PR #18027, Upstream PR #17856, @gandro)
* ipam: fix crd mode (#16493, @joamaki)
* ipsec: Fix logging of SPI after key rotations (#16557, @pchaigno)
* ipsec: Fix off-by-one error on max keyID (#16647, @pchaigno)
* iptables: Remove leading zeroes (#16817, @jrajahalme)
* L7 proxy redirection on IPv6 ingress to a pod is fixed to properly update IPv6 hop limit. (#17718, @jrajahalme)
* lbmap: fix deletion and recreation logic for maglev maps (#16850, @jibi)
* loader: Revert incorrect initialization of endpoints in chaining mode (#16227, @pchaigno)
* lrp: Skip clusterIP service restore in service delete callback (#16548, @aditighag)
* node-init: cleanup snat iptables rules when running in eni mode with masquerading disabled (#16840, @bmcustodio)
* node: Fix race condition on labels' getter/setter (#17217, @pchaigno)
* node: Skip ipcache for remote node IPs if IPsec is enabled (#17511, @pchaigno)
* Operator gc incluster identities only (#17589, @ArthurChiao)
* operator: only GC identity keys of its own cluster (#16825, @ArthurChiao)
* Optimize memory consumption for clusters with high number of repeated FQDN matchPattern or matchNames (#17224, @aanm)
* Perform reverse NAT at host interface (#15354, @krishgobinath)
* pkg/identity: Add missing labels to well-known identities (#16585, @mauriciovasquezbernal)
* pkg/k8s: fix invalid memory address or nil pointer dereference (#17642, @aanm)
* pkg/option: Fix default assignment of EnableWellKnownIdentities (#16434, @mauriciovasquezbernal)
* Plumb Azure interface's VPC / primary CIDR and set it as native routing CIDR in Azure IPAM mode (#16696, @christarazi)
* policy: Fix `cilium policy trace` output when only deny rules are applied (#16991, @chez-shanpu)
* Potential deadlock in pod identity updates has been fixed. (#16529, @jrajahalme)
* Potential deadlock in pod identity updates has been fixed. (#16801, @jrajahalme)
* Prometheus lint errors in operator metrics (Backport PR #18076, Upstream PR #17789, @krishgobinath)
* Remove `node.cilium.io/agent-not-ready` node taints if they are re-added after Cilium has started (#17112, @aanm)
* Remove CiliumNode deletion logic from CiliumNode watcher and guarantee CiliumNode's OwnerReference is always set (#17329, @christarazi)
* Remove previous PERM ARP entries installed by Cilium when kube-proxy-replacement and IPSec are disabled. (#16359, @aanm)
* Removes cilium daemonset's dependencies on utilities like `sh` and `mount` having installed in the underlying host distributions. (#16815, @aditighag)
* routing: Fix incorrect interface selection for egress pod routes (#17169, @pchaigno)
* Set right User Agent in Kubernetes client for all Cilium components. (#17417, @aanm)
* ui envoy: fix config to keep grpc conn (#15938, @geakstr)
* wireguard: Fix traffic counters in `cilium debuginfo` (#16178, @gandro)
**CI Changes:**
* .github/workflows: install ginkgo for test suite build test (#16605, @tklauser)
* .github/workflows: use latest stable cilium-cli release (#16892, @tklauser)
* .github/workflows: verify that each commit builds for test suite changes (#16556, @tklauser)
* .github: AWS-CNI end-to-end test (#16365, @pchaigno)
* .github: Bump CLI version to v0.6 (#15948, @joestringer)
* .github: Cancel outdated GitHub workflows (#16199, @pchaigno)
* .github: Capture hubble flows when smoke test fails (#16968, @christarazi)
* .github: Disable flow validation in flaky tests (#16388, @pchaigno)
* .github: do not useDigest in conformance tests (#16836, @aanm)
* .github: Don't persist credentials in repository (#16052, @pchaigno)
* .github: Don't run CodeQL for every master push (#16241, @pchaigno)
* .github: Don't wait for GKE cluster cleanup (#16319, @pchaigno)
* .github: Fix codeQL workflow skip logic (#17587, @joestringer)
* .github: Fix concurrency group comment triggers (#16310, @pchaigno)
* .github: Fix error triggered by large comments (#16360, @pchaigno)
* .github: Fix scheduled end-to-end tests (#16274, @pchaigno)
* .github: Fix smoke tests sysdump collection from failing prematurely (#17032, @christarazi)
* .github: harden permissions on GH workflows (#16941, @aanm)
* .github: Limit CodeQL workflow to .go files (#16389, @pchaigno)
* .github: Set commit status to error when workflow are cancelled (#16155, @pchaigno)
* .github: Skip unnecessary workflow steps (#16157, @pchaigno)
* .github: Speed up cluster cleanups in end-to-end tests (#16207, @pchaigno)
* .github: Test IPsec with high value for keyID (#16113, @pchaigno)
* .github: Update docs workflow to checkout v2 (#16135, @pchaigno)
* .travis.yml: Disable arm64-graviton2-race (#17650, @joamaki)
* Add workflows for stable branches (#16944, @aanm)
* aks: fix AKS cluster creation following new taint limitations (#17529, @nbusseneau)
* aws: Disable flaky test (Backport PR #18109, Upstream PR #18092, @joestringer)
* bpf/Makefile: Enable setting complexity options (#17364, @pchaigno)
* bpf: Add WireGuard to complexity and compile tests (Backport PR #18076, Upstream PR #18048, @pchaigno)
* bpf: Define `EGRESS_MAP` in dummy `node_config.h` (#17574, @pchaigno)
* Bump cilium-cli to v0.8.4 (#16799, @tklauser)
* checkpatch: update to lastest image to fix checkpatch exit status (#17450, @qmonnet)
* CI, docs: remove libelf-dev from dependencies (#17687, @tklauser)
* ci-gke: Add -v=6 for `kubectl get pods` (#15994, @michi-covalent)
* ci-multicluster: Fix post-test information gathering (#16712, @gandro)
* ci/conformance: Various image-related fixes (#16715, @gandro)
* ci/multicluster: Test WireGuard in clustermesh (#17453, @gandro)
* ci/wireguard: Ensure allowedIPs are set as expected (#16011, @gandro)
* ci: add slack notification to GH actions (#16218, @nebril)
* ci: Bump cilium-cli version (#16617, @nebril)
* ci: Bump ubuntu-next image (#16865, @brb)
* ci: Disable NFS locking (#16554, @gandro)
* ci: fix sysdump path (#17455, @nebril)
* ci: Restart pods when toggling KPR switch (Backport PR #18076, Upstream PR #18031, @brb)
* ci: restart portmap service on CI nodes (#16506, @nebril)
* ci: update CI Vagrant VM IP addresses (#17733, @nbusseneau)
* ci: update CI Vagrant VM IP addresses (#17900, @nbusseneau)
* ci: update cilium-cli to 0.9.1 (#17464, @nebril)
* CI: update cilium-cli to v0.9.2 (#17706, @tklauser)
* ci: update cilium-cli to v0.9.3 (#17834, @tklauser)
* cicd: skip codesql on forks (#16560, @ldelossa)
* conformance tests: Use hubble-relay-ci image (#16363, @michi-covalent)
* connectivity-check: Reduce chances of port conflict with proxy (#15988, @pchaigno)
* dependabot: re-enable Ginkgo updates (#17742, @tklauser)
* docs: check updates for the Helm reference (#17613, @qmonnet)
* ebpf unit testing (#16862, @xinyuannn)
* ebpf unit testing -- handle tailcalls and support user-space map emulation (#17114, @xinyuannn)
* Enable CiliumEndpointSlice feature testing on Kuberneres version 1.21 (#17698, @krishgobinath)
* examples, connectivity-check, test: Use even-numbered nodePort (#16158, @christarazi)
* Fix and add more commands in CI sysdumps (#16721, @aanm)
* Fix Azure-related data races (#17054, @christarazi)
* Fix kubectl CI flakiness (Backport PR #18109, Upstream PR #18087, @aanm)
* github: Misc improvements for the L4LB test suite (#17005, @brb)
* helm,test: Add standalone L4LB XDP tests in a form of Github Action (#16338, @brb)
* hubble/relay: Fix close of closed channel in unit test (#16958, @gandro)
* Improve ipsec compile-time testing in CI (#15872, @joestringer)
* jenkins: switch runtime tests from 4.9 to net-next on master (#17186, @nbusseneau)
* jenkinsfiles: fix race detector pipelines (#16056, @nbusseneau)
* k8sT/Egress: fixes (#17581, @kkourt)
* Make LRP restore test logic robust and optimized (#16194, @aditighag)
* mlh: update Jenkins jobs following 1.22 support (#17721, @nbusseneau)
* mlh: update Jenkins jobs following 1.23 support (#18069, @nbusseneau)
* node-neigh: Fix concurrent arping update unit test flake (#16578, @brb)
* node-neigh: Fix unit test flake (#16072, @brb)
* node-neigh: Wait instead of sleeping in unit tests (#17035, @aanm)
* node: fix arpping test (#16432, @jibi)
* NodePort health checks should be disabled when kube-proxy is installed (#16477, @pchaigno)
* Pick up cilium-cli v0.8.2 (#16650, @michi-covalent)
* Pick up cilium-cli v0.8.3 (#16689, @michi-covalent)
* Pinned docker images by SHA within GitHub actions. (#17739, @nathan-415)
* Quarantine frequent failures (Backport PR #18076, Upstream PR #18051, @joestringer)
* rate: fix TestStressRateLimiter when run with race detector (#16262, @tklauser)
* Remove tests/ and examples/demo/ (#17003, @brb)
* Revert ".github: Create lint-rst.yaml" (#16786, @bmcustodio)
* Revert "ci: update CI Vagrant VM IP addresses" (#17898, @ti-mo)
* Switch ginkgo upgrade testing to upgrade from v1.10->latest (#16483, @joestringer)
* test/Bookinfo: Collect full artifact in case of failure (#16775, @pchaigno)
* test/contrib: Bump CoreDNS version to 1.8.3 (Backport PR #18109, Upstream PR #18018, @brb)
* test/helpers: add the json output debug in case of failure (#17070, @aanm)
* test/helpers: Fail test on errors (#16395, @pchaigno)
* test/helpers: Fix incorrect count of endpoints (#16437, @pchaigno)
* test/helpers: Fix panic due to missing CEP status (#16443, @pchaigno)
* test/helpers: Save JSON artifacts as .json (#16442, @pchaigno)
* test/K8sBookInfo: Readiness probes for test pods (#16869, @pchaigno)
* test/K8sVerifier: Cover several datapath configurations (#17470, @pchaigno)
* test/runtime: Look into log errors after test start (#17351, @joamaki)
* test/runtime: Wait for endpoints to be ready before querying by labels (#15990, @pchaigno)
* test: 5.4 CI job (#15765, @pchaigno)
* test: Add klog lock error to allow-list (#16698, @pchaigno)
* test: Adds test for BPF NAT engine handles unknown protocol packets (#15914, @navarrothiago)
* test: bump coredns version to 1.7.0 (#17489, @aanm)
* test: Clean up hubble-ui clusterrole (#17702, @aditighag)
* test: Debug `kubectl.GetPrivateIface` failure (#16863, @pchaigno)
* test: Debug IPsec test (#16700, @pchaigno)
* test: Delete DNS pods in AfterAll for datapath tests (#16835, @joestringer)
* test: Delete Istio resources if install does not complete (#16440, @jrajahalme)
* test: Do not require netpols in 'waitNextPolicyRevisions()' (#17769, @jrajahalme)
* test: do not useDigest in upstream tests (#16886, @aanm)
* test: Don't pass namespace for CCNPs (#16768, @pchaigno)
* test: Don't skip encapsulation tests on GKE (#16627, @pchaigno)
* test: Enable verbose policy logs to help debug flake (#16748, @pchaigno)
* test: Extend coredns clusterrole with additional resource permissions (Backport PR #18109, Upstream PR #18104, @aditighag)
* test: Extend the clusterIP tests with policy (#15928, @aditighag)
* test: Fix artifact collection for bad log failures (#16489, @pchaigno)
* test: Fix artifact collection for FQDN matchPattern test (#16759, @pchaigno)
* test: Fix flake in ValidateEndpointsAreCorrect (#16068, @pchaigno)
* test: Fix fragment tracking test on GKE (#15959, @pchaigno)
* test: Fix graceful termination test flake (Backport PR #18076, Upstream PR #18050, @aditighag)
* test: Fix helper to retrieve tail call counters (#16803, @pchaigno)
* test: Fix incorrect selector for netperf-service (Backport PR #18076, Upstream PR #18006, @christarazi)
* test: Fix incorrect uninstall in K8sBandwidth (#16053, @pchaigno)
* test: fix Infinite loop during VM provisioning (#17031, @h3llix)
* test: Fix local runs of K8sUpdates (#16802, @pchaigno)
* test: Fix missing artifacts for tests with parentheses (#16540, @pchaigno)
* test: Fix the search for VIPs in `cilium service list` (#15968, @pchaigno)
* test: Instrument LB IP via BGP test with debug-events (#16445, @christarazi)
* test: Log input to `json.Unmarshal` when it fails (#16099, @pchaigno)
* test: Misc improvements (#16064, @pchaigno)
* test: Move instrumentation to AfterFailed instead of AfterAll (#16845, @christarazi)
* test: Pass container to ExecPodCmdBackground() (#16435, @jrajahalme)
* test: Quarantine fragment tracking test on GKE (#16051, @pchaigno)
* test: Quarantine Secondary nodeport device tests (Backport PR #18109, Upstream PR #18091, @joestringer)
* test: Redeploy DNS after endpointRoutes reconfiguration (#16767, @joestringer)
* test: Remove outdated error msg from allowlist (#16998, @pchaigno)
* test: Remove Services SCTP test case (#16895, @brb)
* test: Remove special case for host identity when remote-node identity is disabled (#16450, @romanspb80)
* test: Remove uptime reporting (#16486, @brb)
* test: Retrieve the private interface in an Eventually (#16990, @christarazi)
* test: Run WG with per-endpoint routes (#15906, @brb)
* test: set kubeProxyReplacement=probe for upstream k8s tests (#16162, @aanm)
* test: Skip Istio test on k8s <1.17 (#17445, @jrajahalme)
* test: Specify node-selectors in BGP configmap (#16412, @christarazi)
* test: Spring cleaning of K8sServicesTest (#16470, @brb)
* test: Test IPsec+VXLAN on 4.19 (#17512, @pchaigno)
* test: Tiny cleanup of k8s_install.sh (#16534, @brb)
* test: Update list of allowed level=error logs (#16623, @pchaigno)
* test: Use hubble observe's jsonpb output in artifacts (#16054, @pchaigno)
* test: Use new test-verifier image in K8sVerifier (#16231, @pchaigno)
* test: Wait for kube-dns before starting test (#16411, @jrajahalme)
* tests: Disable K8s upstream tests that we do not support (#17828, @nathanjsweet)
* tests: rework custom calls's `AfterEach`/`AfterAll` blocks to skip if needed (#16651, @qmonnet)
* travis: login to Docker Hub (#17537, @nbusseneau)
* Update cilium-cli to v0.9.0 (#17330, @tklauser)
* update go.mod dependencies (#17775, @aanm)
* Use cilium-cli sysdump in L4LB tests (#17719, @tklauser)
* vagrant: Bump all Vagrant box versions (#16589, @pchaigno)
* vagrant: bump all Vagrant box versions (#17394, @tklauser)
* wireguard: Fix timeout in unit test (#16001, @gandro)
* workflows/L4LB: Reprovision if vagrant up fails (#17339, @brb)
* workflows: `issue_comment` triggers refactoring (#17419, @nbusseneau)
* workflows: add external workload conformance test (#16789, @nbusseneau)
* workflows: add test exceptions for failing L7 tests on EKS with IPsec (#17140, @nbusseneau)
* workflows: disable `no-policies/pod-to-service` in clustermesh (#17894, @nbusseneau)
* workflows: disable AKS testing with encryption enabled (#17645, @nbusseneau)
* workflows: disable scheduled runs for 1.10 AKS workflow (#17053, @nbusseneau)
* workflows: disable scheduled runs for 1.10 workflows (#17023, @nbusseneau)
* workflows: filter out schedule events from forks (#16012, @nbusseneau)
* workflows: fix build-and-push-with-qemu on v1.11 (#18071, @nbusseneau)
* workflows: Fix change detection of comment-triggered jobs (#17171, @pchaigno)
* workflows: fix concurrency group names (#16711, @nbusseneau)
* workflows: Fix Hubble flow capture in smoke tests (#17137, @pchaigno)
* workflows: fix L4LB test missing PR reporting on issue_comment (#16830, @nbusseneau)
* workflows: fix permissions (#17008, @nbusseneau)
* workflows: fix Relay pgrep check when using additional flags (#16831, @nbusseneau)
* workflows: Fix use of paths-filter on master pushes (#16507, @pchaigno)
* workflows: Improve the change check for `issue_comment` triggers (#16841, @pchaigno)
* workflows: increase VM creation retry count on external workloads (#17138, @nbusseneau)
* workflows: lessen clustermesh clusters names (#16029, @nbusseneau)
* workflows: only gather artifacts on failure (#16010, @nbusseneau)
* workflows: pin `cilium-cli` version to v0.8.6 (#17143, @nbusseneau)
* workflows: remove label filters for testing workflows (#16735, @nbusseneau)
* workflows: retrieve 1.10 branch code for L4LB test (#17737, @nbusseneau)
* workflows: retry GCP VM creation up to 3 times (#17068, @nbusseneau)
* workflows: Revert changes to comment-triggered workflows (#17173, @pchaigno)
* workflows: Skip building cilium-operator image (#16501, @pchaigno)
* workflows: Skip FQDN tests in AWS-CNI workflow (#16868, @pchaigno)
* workflows: Skip jobs instead of workflows (#16487, @pchaigno)
* workflows: Skip L7 test in AWS-CNI chaining mode (#17122, @pchaigno)
* workflows: update cluster names and tags (#15944, @nbusseneau)
* workflows: use `!success()` for sysdump and Slack notifications (#16899, @nbusseneau)
* workflows: Use new `cilium sysdump` (#17428, @pchaigno)
* workflows: various fixes & consistency passes (#16787, @nbusseneau)
* workflows: various small fixes (#16311, @nbusseneau)
**Misc Changes:**
* .gitattributes: Hide Documentation/_static. (#16929, @joestringer)
* .github/workflows: checkout all git history for Image GC (#17622, @aanm)
* .github/workflows: Fix typo (#16074, @christarazi)
* .github: add bug_report form to submit Cilium bugs (#17933, @aanm)
* .github: add external docs references to be updated after a release (#16177, @aanm)
* .github: add instructions when releasing a new minor version (#16405, @aanm)
* .github: add MLH config for flake tracking (#17040, @aanm)
* .github: add more release steps (#16257, @aanm)
* .github: add step to check for GH workflow when chart is released (#16851, @aanm)
* .github: add workflow to build beta images (Backport PR #18076, Upstream PR #18052, @aanm)
* .github: Create lint-rst.yaml (#16387, @geyslan)
* .github: Fix image digest job printing (#16660, @joestringer)
* .github: fix MLH configuration file for v1.11 branch (#18032, @aanm)
* .github: ignore k8s deps in dependabot (#16240, @tklauser)
* .github: Increase reporting threshold for new flakes (#17812, @pchaigno)
* .github: Rename `project/ci-force` to `ci/flake` (#17344, @pchaigno)
* .github: Rename maintainer's little helper's config file (#16458, @pchaigno)
* .github: set link for GH issue feature template (#17214, @aanm)
* Add arm64 support for the connectivity test (#15894, @aanm)
* Add AWS & Yahoo (#17406, @tgraf)
* Add cilium_egress_v4 to ignoredELFPrefixes (#16334, @Divya063)
* Add Cognite to USERS (#17405, @tgraf)
* Add developer build option to disable optimizations (#16923, @xyz-li)
* Add documentation for vlan bpf bypass. (#17539, @kvaster)
* Add eCHO (#16283, @lizrice)
* Add few values in CiliumEndpointPropagation metric bucket. (#17957, @krishgobinath)
* Add Form3 to users (#16643, @kevholditch-f3)
* Add identity GC metrics for CRD allocation mode (#15905, @rscampos)
* Add Kernel Misc Probe (#17541, @vincentmli)
* Add missing bpftool map dumps (#16055, @h3llix)
* Add neighbor discovery behavior docs to kubeproxy-free. (#17469, @bjhaid)
* add note about selecting proper interface name for masquerading (#17443, @rootkamil)
* add scruffy to garbage collect CI images from quay.io (#17610, @aanm)
* add stable.txt (#16453, @rolinh)
* Adding error checks for ctx_load_bytes. (#16138, @trvll)
* Adds a locked function to do ipcache delete on metadata match (Backport PR #18076, Upstream PR #17909, @Weil0ng)
* Adds a warning in the upgrade doc about split cluster (#17755, @Weil0ng)
* Adds concept documentation for CiliumEndpointSlice (#17430, @Weil0ng)
* Adds Northflank as a user (#17855, @DeciderWill)
* all: remove unnecessary string(byteslice) when passed into fmt.*rintf("%s", string(b)) (#17577, @odeke-em)
* Allow configuration of probe timers in Helm chart (#16584, @jonkerj)
* Allow to add custom labels to ServiceMonitors cilium-agent, cilium-operator, hubble in the Cilium Helm chart. (#17509, @canhnt)
* Avoid transitive dependency on github.com/miekg/dns in policy API (#16806, @tklauser)
* backporting: Suggest only one related commit for a backport (#16907, @joestringer)
* Better error reporting/catching in agent on nativeRoutingCIDR (#16646, @jibi)
* bpf, test/bpf: add generated files to .gitignore (#17551, @tklauser)
* bpf/Makefile: Default to `KERNEL=netnext` (#17600, @pchaigno)
* bpf/pcap: Use `CAPTURE{4,6}_RULES` macros (#16809, @pchaigno)
* bpf: Add extension for running sock LB on MKE-related containers (#17513, @borkmann)
* bpf: avoid encrypt_key map lookup if IPsec is disabled (#17840, @tklauser)
* bpf: Cleanup datapath macros (#17150, @pchaigno)
* bpf: convert majority of `bpf_elf_map` definitions to BTF map definitions (#17640, @ti-mo)
* bpf: ct: use union to hide the rx_bytes hack (#16471, @jibi)
* bpf: Fix reset of CB_PROXY_MAGIC (#17592, @jrajahalme)
* bpf: Fix stale map removal in agent logs (Backport PR #18027, Upstream PR #17973, @borkmann)
* bpf: Migrate map migration logic from C to Go (#16917, @nathanjsweet)
* bpf: Refactoring egress gateway datapath (#17868, @pchaigno)
* bpf: remove accidentally committed cilium-map-migrate binary (#17860, @tklauser)
* bpf: Remove duplicate define from MAX_BASE_OPTIONS (#16911, @christarazi)
* bpf: remove libelf dependency and unused nobpf.h (#17612, @ti-mo)
* bpf: rename variables with camel-case names (#16476, @qmonnet)
* bpf: two small janitorial cleanups (#16198, @tklauser)
* bpf: use ctx_redirect{,_peer}() instead of redirect{,_peer}() (#17814, @tklauser)
* bpf_host: emit '-> network' traces for egress packets (#16082, @navarrothiago)
* bugtool: Collect BPF cgroup programs related information (#16691, @aditighag)
* bugtool: Default pprof to the agent's gops port (#17004, @glibsm)
* bugtool: dump all active configs and encryption status (#17304, @h3llix)
* bugtool: Dump xfrm policy stats (#17354, @pchaigno)
* bugtool: Include listing of egress gateway map (#17378, @pchaigno)
* bugtool: Update `ip{6,}tables` commands (#16778, @pchaigno)
* build(deps): bump 8398a7/action-slack from 3.10.0 to 3.11.0 (#17886, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.11.0 to 3.12.0 (#17966, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 (#16995, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.9.2 to 3.9.3 (#17383, @dependabot[bot])
* build(deps): bump 8398a7/action-slack from 3.9.3 to 3.10.0 (#17447, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16345, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.5 to 2.1.6 (#16357, @dependabot[bot])
* build(deps): bump actions/cache from 2.1.6 to 2.1.7 (#17971, @dependabot[bot])
* build(deps): bump actions/checkout from 1 to 2.3.5 (#17632, @dependabot[bot])
* build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (#17776, @dependabot[bot])
* build(deps): bump actions/download-artifact from 2.0.9 to 2.0.10 (#16575, @dependabot[bot])
* build(deps): bump actions/setup-go from 2.1.3 to 2.1.4 (#17247, @dependabot[bot])
* build(deps): bump actions/upload-artifact from 2.2.3 to 2.2.4 (#16576, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16942, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.10 to 1.5.11 (#16959, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.11 to 1.6.0 (#17999, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.8 to 1.5.9 (#16182, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16413, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.5.9 to 1.5.10 (#16504, @dependabot[bot])
* build(deps): bump azure/CLI from 1.0.4 to 1.0.5 (#17843, @dependabot[bot])
* build(deps): bump azure/CLI from 1.0.5 to 1.0.6 (#17885, @dependabot[bot])
* build(deps): bump azure/login from 1.3.0 to 1.4.0 (#17673, @dependabot[bot])
* build(deps): bump azure/login from 1.4.0 to 1.4.1 (#17884, @dependabot[bot])
* build(deps): bump babel from 2.6.0 to 2.9.1 in /Documentation (#17662, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 (#16327, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.5.0 to 2.6.1 (#16743, @dependabot[bot])
* build(deps): bump docker/build-push-action from 2.6.1 to 2.7.0 (#17196, @dependabot[bot])
* build(deps): bump docker/login-action from 1.9.0 to 1.10.0 (#16638, @dependabot[bot])
* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15917, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15940, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.3.0 to 1.4.1 (#16682, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.4.1 to 1.5.0 (#16760, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.5.0 to 1.5.1 (#16853, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 1.5.1 to 1.6.0 (#17346, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 (#16326, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 (#16532, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1095 to 1.61.1153 (#16606, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1153 to 1.61.1214 (#17072, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1317 to 1.61.1319 (#17786, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1319 to 1.61.1322 (#17795, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1322 to 1.61.1323 (#17826, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1323 to 1.61.1325 (#17863, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1325 to 1.61.1327 (#17891, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1327 to 1.61.1331 (#17901, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1331 to 1.61.1333 (#17937, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.1333 to 1.61.1334 (#17950, @dependabot[bot])
* build(deps): bump github.com/aliyun/alibaba-cloud-sdk-go from 1.61.957 to 1.61.1095 (#16215, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.11.0 to 1.11.1 (#17946, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.6.0 to 1.7.1 (#16905, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.1.6 to 1.2.0 (#16143, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.2.0 to 1.5.0 (#16927, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.5.0 to 1.6.0 (#17096, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.9.0 to 1.10.0 (#17821, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.1.0 to 1.1.1 (#16452, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.4.0 to 1.6.0 (#17602, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.7.0 to 1.8.0 (#17825, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.8.0 to 1.8.1 (#17951, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.13.0 to 1.16.0 (#17347, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.20.0 to 1.21.0 (#17817, @dependabot[bot])
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.5.0 to 1.9.0 (#16625, @dependabot[bot])
* build(deps): bump github.com/Azure/azure-sdk-for-go from 50.0.0+incompatible to 50.2.0+incompatible (#16077, @dependabot[bot])
* build(deps): bump github.com/Azure/azure-sdk-for-go from 54.0.0+incompatible to 54.3.0+incompatible (#17704, @dependabot[bot])
* build(deps): bump github.com/Azure/azure-sdk-for-go from 59.0.0+incompatible to 59.1.0+incompatible (#17787, @dependabot[bot])
* build(deps): bump github.com/Azure/azure-sdk-for-go from 59.1.0+incompatible to 59.2.0+incompatible (#17844, @dependabot[bot])
* build(deps): bump github.com/Azure/azure-sdk-for-go from 59.2.0+incompatible to 59.3.0+incompatible (#17938, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.17 to 0.11.21 (#17624, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest from 0.11.21 to 0.11.22 (#17818, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/adal from 0.9.16 to 0.9.17 (#17827, @dependabot[bot])
* build(deps): bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.8 to 0.5.9 (#17831, @dependabot[bot])
* build(deps): bump github.com/containernetworking/plugins from 0.9.0 to 0.9.1 (#17518, @dependabot[bot])
* build(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible (#17936, @dependabot[bot])
* build(deps): bump github.com/go-openapi/errors from 0.19.9 to 0.20.0 (#16796, @dependabot[bot])
* build(deps): bump github.com/go-openapi/errors from 0.20.0 to 0.20.1 (#17438, @dependabot[bot])
* build(deps): bump github.com/go-openapi/loads from 0.20.0 to 0.20.2 (#16185, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.26 to 0.19.28 (#16242, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.28 to 0.19.29 (#17055, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.19.29 to 0.19.30 (#17101, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.20.0 to 0.20.3 (#17568, @dependabot[bot])
* build(deps): bump github.com/go-openapi/swag from 0.19.14 to 0.19.15 (#16351, @dependabot[bot])
* build(deps): bump github.com/go-openapi/validate from 0.20.1 to 0.20.2 (#16808, @dependabot[bot])
* build(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (#16368, @dependabot[bot])
* build(deps): bump github.com/google/renameio from 1.0.0 to 1.0.1 (#16921, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.3.0 to 1.9.1 (#17188, @dependabot[bot])
* build(deps): bump github.com/kr/pretty from 0.2.1 to 0.3.0 (#17117, @dependabot[bot])
* build(deps): bump github.com/mattn/go-shellwords from 1.0.10 to 1.0.12 (#17061, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 (#17816, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.2 to 3.21.5 (#16410, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.7 (#17127, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.18 to 1.0.19 (#17641, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.19 to 1.0.20 (#17710, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.20 to 1.0.21 (#17743, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.21 to 1.0.22 (#17783, @dependabot[bot])
* build(deps): bump github/codeql-action from 1.0.22 to 1.0.23 (#17920, @dependabot[bot])
* build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 (#17233, @dependabot[bot])
* build(deps): bump gopkg.in/ini.v1 from 1.63.2 to 1.64.0 (#17864, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.1.0 to 1.2.0 (#16706, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 (#16466, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 (#16956, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.0 (#17782, @dependabot[bot])
* build(deps): bump nick-invision/retry from 2.4.1 to 2.5.0 (#17555, @dependabot[bot])
* build(deps): bump nick-invision/retry from 2.5.0 to 2.5.1 (#17685, @dependabot[bot])
* build(deps): bump Sibz/github-status-action from 1.1.5 to 1.1.6 (#17476, @dependabot[bot])
* build(deps): update KyleMayes/install-llvm-action requirement to v1.3.0 (#16059, @dependabot[bot])
* Bump github.com/aws/aws-sdk-go-v2/service/ec2 to v1.13.0 (#17113, @ungureanuvladvictor)
* bwm: queue mapping & cong fixes (#15964, @borkmann)
* byteorder: Simplify byteorder package (#16201, @twpayne)
* checkpatch: update image to fix checks on commit object and message (#17067, @qmonnet)
* checkpatch: update image to improve checks and extend to all commits (#16739, @qmonnet)
* checkpatch: update to latest image to ignore empty commit messages (#17523, @twpayne)
* Checks k8s metadata for pod before removing IP from ipcache (#17161, @Weil0ng)
* choir: normalize error handling in kube_proxy_replacement.go (#16811, @ldelossa)
* chore: normalize returning of errors in NewDaemon (#16861, @ldelossa)
* ci: Increase the CI image wait timeout to 30 minutes (#17409, @michi-covalent)
* ci: use git status instead of git diff to check for a clean state (#16619, @kaworu)
* cilium: Don't report health error when disabled (#17146, @joestringer)
* cilium: fix ipv6 neighbor discovery (#17842, @borkmann)
* cilium: Rework neighbor handling (#17713, @borkmann)
* Clarify one-time setup for backporting (#16016, @christarazi)
* Cleanup Azure allocator cloud name detection code (#16888, @ungureanuvladvictor)
* clustermesh: fix CEP status patch (#16986, @nbusseneau)
* CODEOWNERS: add entries for health, recorder and relay APIs (#16522, @tklauser)
* CODEOWNERS: Assign egress gateway code to @cilium/bpf (#17774, @pchaigno)
* CODEOWNERS: Assign pkg/cgroups to cilium/bpf (#16758, @pchaigno)
* CODEOWNERS: Give maintainer's code to github-sec team (#16426, @pchaigno)
* CODEOWNERS: No review from @cilium/build on `bpf/Makefile` (#17601, @pchaigno)
* codeql: Fix GitHub Action permissions (#17376, @twpayne)
* codeql: Update CodeQL action version (#17579, @twpayne)
* conditionally change hubble relay port in hubble-ui (#16511, @alex1989hu)
* contrib/backporting: add environment variables to set ORG and REPO (#17424, @aanm)
* contrib/backporting: Dockerize backporting scripts (#17157, @aditighag)
* contrib/backporting: Install PyGithub for user (#17627, @joamaki)
* contrib/docs: rename 'cilium-actions.yml' with 'maintainers-little-helper.yaml (#16750, @aanm)
* contrib/vagrant/start.sh: add a NO_BUILD export (#17425, @kkourt)
* contrib/vagrant: Use CRDs instead of kvstore if K8S=1 (#15913, @pchaigno)
* contrib: Ensure release tag is upstream before push (#15903, @joestringer)
* contrib: Explicitly set remote for backport branches (#16804, @twpayne)
* contrib: Fix bump-readme.sh script (#17311, @joestringer)
* contrib: fix dual-stack support in dev VMs (#15887, @aanm)
* contrib: Fix scripts for v1.10 (#15898, @joestringer)
* contrib: Fix submit-release.sh regression (#17607, @joestringer)
* contrib: Identify upstream commits by author and date (#16572, @pchaigno)
* contrib: Improve release script guard rails (#16936, @joestringer)
* contrib: Make upstream commit check more generic (#16160, @joestringer)
* contrib: Request author review during backports (#16484, @joestringer)
* contrib: simplify check-docker-images script (#16176, @aanm)
* contrib: Support prereleases in release prep scripts (#17502, @joestringer)
* contrib: update etcd's dev VM version (#16193, @aanm)
* Convert license headers to SPDX (#16887, @ldelossa)
* correct comment Service6Key and Service4Key (#17271, @ChenYahui2019)
* daemon, ipam, option: Introduce ability to bypass IP availability error (#17492, @christarazi)
* daemon/cmd: Extend Cilium status with graceful termination config (Backport PR #18027, Upstream PR #17969, @aditighag)
* daemon: Add --derive-masquerade-ip-addr-from-device opt (#17230, @brb)
* daemon: add K8sCacheIsSynced() method (#17651, @jibi)
* daemon: fix race in config handler (#17413, @h3llix)
* daemon: Improve logging of device auto-detection (#16118, @brb)
* daemon: log any error returned by RestoreServices() (#16666, @jibi)
* daemon: Skip bridge-like devices (#17560, @joamaki)
* daemon: Warn on disabling iptables (#16611, @joestringer)
* daemons: name init functions and have one `init` (#17616, @nebril)
* datapath/linux: enable neighbor discovery in unit tests (#17044, @aanm)
* datapath: allow specifying cilium_host routes metric (#17544, @Frankkkkk)
* datapath: Always use of wait argument on iptables commands. (#17593, @jrajahalme)
* datapath: Pass proxy port in to-proxy traces (#17595, @jrajahalme)
* datapath: Sort VLAN IDs in generated macros (#17105, @jrajahalme)
* dependabot: set pull-request limit to 5 (#17785, @aanm)
* dev-doctor: add check for the root directory (#16205, @twpayne)
* dev-doctor: Add docker and docker buildx checks (#16265, @twpayne)
* dev-doctor: Bump minimum hub version requirement for backporting (#16734, @twpayne)
* dev-doctor: use default GOPATH when missing from env (#17385, @kaworu)
* doc/encryption: improve consistency between ipsec and wireguard guides (#15965, @rolinh)
* doc: add upgrade note about nativeRoutingCIDR deprecation (Backport PR #18119, Upstream PR #18095, @kaworu)
* doc: hubble configuration cleanup (#17522, @kaworu)
* doc: update Hubble/Hubble Relay guides for recent CLI changes (#15981, @rolinh)
* doc: use ipv4NativeRoutingCIDR instead of nativeRoutingCIDR (Backport PR #18076, Upstream PR #18026, @kaworu)
* Dockerfile: use alpine 3.12 (#15950, @aanm)
* docs(k3s): add back the flag to disable network policies (#16755, @rio)
* docs, bpf: fix llvm-objdump --no-show-raw-insn options (#16848, @ClaudiaJKang)
* docs, gsg: add link to plumbers talk on service lb mechanisms (#16171, @borkmann)
* docs, gsg: minor edits to kpr guide and note on hybrid use (#16169, @borkmann)
* docs/ipsec: misc improvements (#15978, @kaworu)
* docs: account for bandwidth manager now being disabled by default (#16782, @bmcustodio)
* docs: add 'endpointRoutes.enabled=true' to aws-cni (#16045, @bmcustodio)
* docs: add a "Copy Commands" button for shell-session snippets (#16408, @qmonnet)
* docs: add a reference of helm values (#16238, @bmcustodio)
* docs: Add caveat for OpenShift (#16161, @christarazi)
* docs: add cilium build depedency when regen'ing docs (#17155, @ldelossa)
* docs: add clustermesh-apiserver description (#17025, @oblazek)
* docs: add custom spelling filter to check WireGuard spelling (#16513, @qmonnet)
* docs: add forking instructions + workflow + fix contributing notes (#16025, @nbusseneau)
* docs: add guidelines for contributing to Cilium's documentation (#16738, @qmonnet)
* docs: add ids to the list of special identities (#16123, @bmcustodio)
* docs: add information about ConfigMap updates (#16141, @aanm)
* docs: add K8s 1.22 compatibility (#17722, @nbusseneau)
* docs: Add missed build tag flags in testing docs (#17160, @twpayne)
* docs: add missing mount bpf fs on minikube GSG (#16324, @aanm)
* docs: Add note about DNS-related policies on OpenShift (#16083, @twpayne)
* docs: add registry (quay.io/) for pre-loading images for kind (Backport PR #18076, Upstream PR #18017, @adamzhoul)
* docs: Add upgrade note regarding custom ports (Backport PR #18027, Upstream PR #17975, @errordeveloper)
* Docs: Changed parameters for minikube start (#16570, @mauilion)
* docs: Clarify coordination for backporting process (#15989, @christarazi)
* docs: Clarify deprecated "prefilter-devices" (Backport PR #18119, Upstream PR #18112, @brb)
* docs: Clarify exact requirements for the egress gateway (#17381, @pchaigno)
* docs: clarify language on libceph and kernel 5.8 in kubeproxy-free GSG (#16969, @bluikko)
* docs: Clarify LRP loop related note (#16342, @aditighag)
* docs: Clarify SA target in KPR gsg (#16954, @brb)
* docs: clarify upgrade impact for clients using an egress gateway (Backport PR #18119, Upstream PR #18097, @jibi)
* docs: clarify uses of --direct-routing-device (#17578, @kkourt)
* docs: cleanup and tidy up the 1.11 upgrade guide (Backport PR #18119, Upstream PR #18093, @aanm)
* docs: clustermesh: fix output of "cilium clustermesh status" command (#15982, @jibi)
* docs: deprecate native-routing-cidr from v1.10 (#16688, @jibi)
* docs: Docker version requirement for external workloads (#17726, @wazir-ahmed)
* docs: Document `--debug-verbose=datapath` in debugging datapath section (#16022, @navarrothiago)
* docs: Document dns visibility limitations (#16822, @joestringer)
* docs: Document limitation for kernels without netns cookie (#17575, @pchaigno)
* docs: document the policy for backporting documentation changes (#16137, @qmonnet)
* docs: ENIs should not be managed by the OS (#16186, @gandro)
* docs: fix a block directive in OpenShift GSG (#17760, @qmonnet)
* docs: fix a typo in Helm installation documentation (#16325, @netflash)
* docs: Fix build failure (#16454, @pchaigno)
* docs: fix check-crd-compat-table script (#16545, @aanm)
* docs: fix code-block for bpf mount example (#16719, @aanm)
* docs: fix code-block formatting for XDP load example (#16876, @ClaudiaJKang)
* docs: Fix command for overwriting iptables on kube-proxy replacement install (#16264, @Stijn98s)
* docs: fix docs following #17238 (#17530, @nbusseneau)
* docs: fix docs following #17526 (#17570, @nbusseneau)
* docs: Fix egress gateway getting started guide (#15984, @gandro)
* docs: fix eksctl ClusterConfig to allow copy (Backport PR #18119, Upstream PR #18110, @aanm)
* docs: fix Helm documentation and doc checks (#16737, @qmonnet)
* docs: Fix Helm instructions for BGP (#16263, @xentobias)
* docs: Fix helm value when deploying pure ipvlan l3 mode (#17708, @chendotjs)
* Docs: Fix maglev.hashSeed byte size documentation (#16690, @gaffneyd4)
* docs: Fix missing quote in gcloud command for GKE (#17014, @christarazi)
* docs: fix some dead links (#16336, @aanm)
* docs: Fix typo in BGP GSG (#16563, @christarazi)
* docs: Fix up broken minikube link (#17382, @joestringer)
* docs: Fix up mailmap a bit and update authors (Backport PR #18027, Upstream PR #17983, @borkmann)
* docs: Fix version sorting for CRD schema docs (#17288, @joestringer)
* docs: fix warnings for documentation build, use a linter (#16407, @qmonnet)
* docs: Fix WireGuard spelling (#16293, @gandro)
* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (#15963, @ti-mo)
* docs: Hubble UI does not show HTTP endpoints anymore (#16535, @gandro)
* docs: ignore `__pycache__` directory created by custom spelling filters (#16791, @qmonnet)
* docs: improve and fix minor issues (#15975, @qmonnet)
* docs: improve the aws-cni chaining page (#15979, @bmcustodio)
* docs: improve the bandwidth manager page (#16783, @bmcustodio)
* docs: Improve wording around Helm values in OKD GSG (#16069, @errordeveloper)
* docs: include maintainers CODEOWNERS release process (#15924, @aanm)
* docs: Instructions to upgrade aws-cni (#16431, @pchaigno)
* docs: KUBECONFIG for cilium-cli with k3s (Backport PR #18076, Upstream PR #18068, @kkourt)
* docs: mark node-to-node IPSec encryption as beta (#16200, @qmonnet)
* docs: Mention about KubeVirt in KPR docs (#17847, @brb)
* docs: minor improvements to tuning guide (#16024, @borkmann)
* docs: Minor language tweak (#15923, @glibsm)
* docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 (#16288, @aanm)
* docs: Remove instructions for nodeinit on various platforms (#17635, @joestringer)
* docs: remove mention of 250 nodes for kvstore (Backport PR #18027, Upstream PR #17995, @aanm)
* docs: remove misplaced sentence from Quick Installation guide (#15971, @lfundaro)
* docs: rename maintainers team to cilium-maintainers (#16591, @aanm)
* docs: Reword sentence on WireGuard limitation (#17822, @pchaigno)
* docs: run GitHub action when Charts are touched to check Helm values ref (#16577, @qmonnet)
* docs: small fixes to Getting Started Guides (#17583, @nbusseneau)
* docs: Some Wireguard improvements (#16023, @brb)
* docs: tell how to deploy demo app in Hubble CLI guide (#15973, @lfundaro)
* docs: Update community page (#17599, @joestringer)
* docs: Update iproute2 requirements (#17830, @brb)
* docs: Update link to be specific to Janitors (#16732, @pchaigno)
* docs: update OpenShift getting started guide (#16006, @twpayne)
* docs: Update packer-ci-build docs (#17395, @twpayne)
* docs: update requirements (urllib3 1.26.5, requests 2.25.1) (#16396, @qmonnet)
* docs: Update SIG-Datapath meeting time. (#16027, @joestringer)
* docs: update the version specific notes table (#16710, @bmcustodio)
* docs: Update troubleshooting for 1.10 (#16081, @twpayne)
* docs: use `.. code-block:: shell-session` wherever relevant (#16474, @qmonnet)
* docs: Use cilium sysdump instead of python sysdump (#17402, @michi-covalent)
* docs: Use git+https in requirements.txt (#17756, @michi-covalent)
* docs: various fixes to documentation, notably Getting Started Guides (#16126, @nbusseneau)
* Document v1.11 feature deprecations (Backport PR #18027, Upstream PR #17993, @joestringer)
* Documentation/gettingstarted: fix helm arguments (#17496, @AlexZzz)
* Documentation/Makefile improve clean command (#17598, @kkourt)
* Documentation: dont use docker for check-cmdref (#16939, @kkourt)
* ebpf: delete existing pinned map if incompatible with the spec (#15832, @jibi)
* elf: skip BenchmarkWriteELF if ELF file wasn't built (#17536, @tklauser)
* Encryption docs update (#14940, @aditighag)
* ethtool: use ioctl wrapper from golang.org/x/sys/unix (#17153, @tklauser)
* examples: add an example of a hubble-cli Deployment (#16459, @kaworu)
* examples: Fix up standalone-etcd.yaml (#17369, @joestringer)
* Fix alias of cilium-health get (#16891, @xyz-li)
* Fix documented EC2 IAM action (Backport PR #18076, Upstream PR #17958, @austince)
* Fix encryption getting started guides for v1.10 (#15961, @jibi)
* Fix label shown as Unknown App in hubble ui for http-sw-app example (#17597, @hemslo)
* Fix logging for expired FQDN IPs (#16030, @youssefazrak)
* fix warning log for list IPV6 address: move IPV4 to IPv6. (#16475, @lic17)
* fix(docs): bandwidth-manager install error (#17338, @withlin)
* Fixed a minor race condition on drop counts when hubble starts drops flows/events, because of a full channel. This change also will log the fact that drops are happening once, rather than a log message for every drop, and will log an additional comment after drops are no longer happening with the number of events/flows that were dropped. (#15967, @nathanjsweet)
* Follow ups for host firewall support of endpoint routes (#15942, @pchaigno)
* fqdn: add fqdn proxy interface (#17318, @nebril)
* github: Fix external workloads test file syntax (#17019, @brb)
* github: Increase workflow timeout (#16819, @jrajahalme)
* go.mod, vendor: update wireguard-go to latest version (#17740, @tklauser)
* health: Fix cluster-health-port for health endpoint (Backport PR #18076, Upstream PR #18061, @gandro)
* helm: ensure defaultMode=0400 for projected volumes containing secrets (#17367, @rolinh)
* helm: Expose l2 neigh discovery related agent flags (#17526, @brb)
* helm: Fix hubble-ui clusterrole guard (#17846, @gandro)
* helm: Remove redundant capabilities (#17131, @gandro)
* helm: set correct versions of docker images in Makefile (#17477, @aanm)
* hubble-ca-cert ConfigMap cleanup (#17294, @kaworu)
* hubble: Fix data races in `pkg/hubble.TestRingReader_NextFollow_WithEmptyRing` (#17397, @gandro)
* images/builder: update protoc-gen-go-json from v1.0.0 to v1.1.0 (#17269, @rolinh)
* images/script: update the example hubble cli Deployment version (#16537, @kaworu)
* images: Bump Hubble CLI to v0.8.2 (#17362, @kaworu)
* images: Bump iproute2 image (#17222, @brb)
* images: Move hubble-proto into cilium-builder (#16217, @gandro)
* images: Remove trailing newlines before computing SHA256 (#16621, @pchaigno)
* Improve author attribution scripts (#15899, @joestringer)
* Improve logging when cgroupfs mount fails (#15999, @johngv2)
* Improve output of development VM startup (#17343, @pchaigno)
* Improve the Helm chart documentation. (#16469, @bmcustodio)
* Improves the error logs during the bpf maps updating (#16034, @elfadel)
* install/kubernetes/cilium: reference stable docs for eBPF maps (#17757, @tklauser)
* install/kubernetes: fix helm generation for operator image digest (Backport PR #18027, Upstream PR #17968, @aanm)
* install/kubernetes: remove duplicated 'key' in volumes (#17123, @aanm)
* install: Fix hubble-ui-backend digest tracking (#15900, @joestringer)
* install: Fix README links to getting started guides (#16947, @joestringer)
* install: Update image digests for v1.11.0-rc3 (#17967, @aanm)
* Introduce v2 backend map with u32 backend ID (#17235, @Weil0ng)
* ipam/allocator/podcidr: fix old pod cidr logging error (#17372, @lrouter)
* ipcache: Remove unused fields (#17356, @joestringer)
* iptables: Add extra warning message listing missing IPV6 kernel modules (#16842, @oneiro-naut)
* iptables: Remove NOTRACK Netfilter target (#17751, @pchaigno)
* ipvlan: Avoid spammy dmesg info messages (#17709, @chendotjs)
* issue_14922: Fixed the 429 response code handling (#15760, @Maddy007-maha)
* jenkinsfiles: Don't display nulls in current build display name (#17258, @twpayne)
* k8s/watchers: Add missing v1 EndpointSlice group on init (#17778, @christarazi)
* k8s: Bump schema version for v1.11 development (#17289, @joestringer)
* k8s: Fix logging (#16530, @jrajahalme)
* lbmap: Log svc update after bpf() syscall invocation (#17017, @brb)
* logging: enhanced log level setting interface (#16021, @mvisonneau)
* MAINTAINERS: update MAINTAINERS.md (#17427, @nbusseneau)
* Make backporting responsibility more clear (#15700, @joestringer)
* Make go test ./... succeed by default (#16914, @twpayne)
* make: merge Go update targets (#17794, @tklauser)
* Makefile, contrib: Add script to create kind cluster (#12527, @christarazi)
* Makefile: fix line continuation in docker build (#17059, @krsna1729)
* Makefile: fix typo in helper message (#17128, @aanm)
* maps: switch maglev to cilium/ebpf package (#15546, @jibi)
* Minikube guide updates (#16346, @aditighag)
* Minor egress gateway fixups (#17663, @pchaigno)
* Minor fixes for OKD GSG (#16000, @errordeveloper)
* Misc. GH workflow improvements and hardness (#16908, @aanm)
* monitor: Fix mismatching frontend service debug trace types (#16953, @christarazi)
* monitor: Improve the log output format of datapath log. (#17507, @leonliao)
* monitor: Initialize agent in deamon early (#17407, @gandro)
* monitor: print error message on failure to decode layer (#16397, @qmonnet)
* neigh: add runtime test for changing next hop address (#17862, @borkmann)
* neigh: Clean up stale/untracked non-GC'ed neighbors (#17918, @borkmann)
* neigh: Init new neighbor for older kernel with NUD_STALE (#17932, @borkmann)
* neigh: minor improvements for neigh tests to be less flaky (Backport PR #18076, Upstream PR #18057, @borkmann)
* netns: Fix socket leak (#17051, @brb)
* node-neigh: Avoid flooding the same next hop (#15882, @brb)
* node: Add WireguardPubKey to ToCiliumNode (#16420, @gandro)
* operator: Improve identity GC efficiency (#17359, @christarazi)
* operator: misc. refactoring and code removal (#16918, @aanm)
* operator: remove deprecated Azure cloud name flag (#17765, @tklauser)
* option: Fix ipvlan master device config (#17130, @joestringer)
* pkg/k8s: add pod IP event change (#16190, @aanm)
* pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors (#16153, @aanm)
* pkg/k8s: re-add CiliumIsUp Node condition even if removed (#16857, @aanm)
* pkg/kvstore: fix concurrent access of var in testing (#16427, @aanm)
* pkg/kvstore: fix TestRunLocksGC unit test (#16596, @aanm)
* pkg/node: add comments for IPLen in getCiliumHostIPsFromFile (#16877, @aanm)
* pkg/rate,proxylib: Use math.MaxInt constants (#17580, @twpayne)
* pkg: rename egresspolicy package to egressgateway (#17630, @jibi)
* podcidr: rename a variable, to remove its "v4" prefix in a context where it can refer either to IPv4 or IPv6 (#17763, @cndoit18)
* policy: Add a bpf compiling option when `enable-icmp-rules` flag is set (#17620, @chez-shanpu)
* Prepare for 1.11.0 development (#15870, @joestringer)
* Prepare for release v1.11.0-rc0 (#17501, @joestringer)
* Prepare for release v1.11.0-rc1 (#17876, @aanm)
* Prepare for release v1.11.0-rc2 (#17934, @aanm)
* Prepare for release v1.11.0-rc3 (#17960, @aanm)
* proxy: Expose cachedSelectorREEntry type (#17341, @nebril)
* proxylib/test: fix data race between StartAccessLogServer and Close (#16298, @tklauser)
* proxylib: Fix data races in unit tests (#17141, @gandro)
* README: fix the Weekly Community Meeting time (#17215, @tixxdz)
* README: update link to docker images to quay.io (#16116, @jibi)
* refactor cert-gen logic (#16900, @dungdm93)
* Refactor logging package to split syslog functionality into separate file (#16600, @tklauser)
* Refactored, renamed and small misc changes in GH workflows (#16312, @aanm)
* Remove duplicate CiliumNode watcher (#17873, @aanm)
* Remove unrelated labels from example node-local-dns yaml (#17564, @Weil0ng)
* Remove unused variable in test_tc_tunnel.c (#17683, @h3llix)
* Removes CEP subresource. (#15632, @Weil0ng)
* replaced and removed useless field in RemoteCache (#16290, @sstoner)
* Restrict Kubernetes access for hubble-relay (#16937, @jonkerj)
* Restructure helm chart into components (#16795, @dungdm93)
* Revert "config: Fix incorrect packet path with IPsec and endpoint rou… (#17057, @aanm)
* Revert "docs: add 'endpointRoutes.enabled=true' to aws-cni" (#16756, @bmcustodio)
* Revert "docs: deprecate native-routing-cidr from v1.10" (#16695, @jibi)
* Revert "operator: only GC identity keys of its own cluster" (#17549, @nbusseneau)
* Revert "Perform reverse NAT at Host Interface" (#17319, @nbusseneau)
* Revert "policy: Make selectorcache callbacks lock-free" (#16769, @aanm)
* Revert "travis: login to Docker Hub" (#17548, @nbusseneau)
* Revert PR #17145 (#17675, @nbusseneau)
* SECURITY.md: Update security policy for v1.10 release cycle (#16254, @joestringer)
* sockops: Remove duplicate error logging (#16417, @pchaigno)
* Specify scrape interval for Hubble metrics (#16214, @christian-2)
* Speed up build image process for PRs (#17623, @aanm)
* Support serviceAnnotations to helm-metrics service (#17366, @carloscastrojumo)
* test, images: update helm to 3.7.0 (#17488, @kaworu)
* test/bpf: Flag to continue in case of errors (#16793, @pchaigno)
* test: Add HostPort conformance to upstream-k8s (#17048, @joestringer)
* test: align filter for kubectl.GetPodsNodes() on kubectl.GetPodsIPs() (#16398, @qmonnet)
* test: Delete hubble-ca-secret when cleaning up (#17591, @jrajahalme)
* test: Delete the test namespace in CLI test (#17134, @jrajahalme)
* test: Disable unreliable K8sBookInfoDemoTest test (#17550, @twpayne)
* test: Enable debug for l4lb test (#17720, @jrajahalme)
* test: Increase service/DNS timeout from 30 to 240 seconds (#16820, @jrajahalme)
* test: Quarantine K8sServicesTest Check services across nodes (#17514, @twpayne)
* tests: re-enable Host Firewall for AutoDirectNodeRoutes test and encryption + direct routing (#16652, @qmonnet)
* Tidy up Kubernetes watcher synchronization (#17145, @joestringer)
* Tidy up Kubernetes watcher synchronization (#17677, @joestringer)
* Togroups policy fixup (#15987, @psinghal20)
* tooling: introduce target for generating json compilation database (#17065, @ldelossa)
* treewide: convert more license headers to SPDX (#17151, @twpayne)
* treewide: Ensure that binaries are built with at least Go 1.17 (#17322, @twpayne)
* treewide: Fix problems identified by CodeQL (#17516, @twpayne)
* treewide: Use formatted logrus logs when possible (#17611, @pchaigno)
* ui: v0.8.3 (Backport PR #18076, Upstream PR #18033, @geakstr)
* update .github directory to be v1.11 branch specific (#17986, @aanm)
* Update base images with most recent SHAs (#15895, @aanm)
* Update bug_template.md to use "cilium sysdump" command (#17697, @michi-covalent)
* Update CI infrastructure for v1.10 release (#15947, @christarazi)
* Update controller tools v0.6.2 (#17596, @jrajahalme)
* Update Go to 1.16.4 (#16058, @tklauser)
* Update Go to 1.16.5 (#16428, @tklauser)
* Update Go to 1.16.7 (#17116, @tklauser)
* Update Go to 1.17 (#17190, @tklauser)
* Update Go to 1.17.1 (#17360, @tklauser)
* Update Go to 1.17.2 (#17565, @tklauser)
* Update Go to 1.17.3 (#17792, @tklauser)
* Update mailmap and latest authors (#17605, @joestringer)
* Update some dependencies to release versions (#17497, @tklauser)
* Update stable releases (#16184, @joestringer)
* Update stable releases (#16355, @aanm)
* Update stable releases (#16547, @aanm)
* Update stable releases (#16765, @aanm)
* Update stable releases (#16902, @aanm)
* Update stable releases (#16948, @joestringer)
* Update stable releases (#16988, @joestringer)
* Update stable releases (#17310, @joestringer)
* Update stable releases (#17609, @joestringer)
* Update stable releases (#17808, @joestringer)
* update stable releases in README (#16244, @aanm)
* Update test/packet instructions for running CI tests on dedicated instances (#16423, @christarazi)
* Update USERS.md (#17231, @acholt)
* Update weekly community meeting timeslot (#15985, @joestringer)
* Use iproute2 with libbpf for loading datapath BPF programs (#16727, @brb)
* Use k8snodestore to perform node status GC of CCNP and CNP (#16430, @daemon1024)
* vagrant: Disable KPR in development VM to match Helm default (#16152, @pchaigno)
* vendor: bump etcd to v3.5.0 and grpc to v1.39.0 (#15123, @rolinh)
* vendor: bump github.com/vishvananda/netlink to latest master (#16070, @tklauser)
* vendor: Bump go.universe.tf/metallb (#16187, @christarazi)
* vendor: Update go.universe.tf/metallb (#16523, @christarazi)
* vendor: update k8s dependencies and tests to 1.21.1 (#16212, @aanm)
* vendor: Update k8s dependencies and tests to 1.21.3 (#16608, @christarazi)
* vendor: update mongo-driver to 1.5.1 to fix CVE-2021-20329 (#17234, @aanm)
* vendor: update wireguard library (#16066, @aanm)
* verifier-test.sh: allow for empty FOO_PROGS (#17408, @kkourt)
* version, metrics: allow to build on non-unix platforms (#16679, @tklauser)
* veth: Avoid spammy dmesg info messages (#17705, @borkmann)
* docs: Delete old CRD create by ACK CNI (#16145, @l1b0k)
* Update kind documentation (#18007, @aditighag)
Computing file changes ...
