Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.
Summary of Changes
Minor Changes:
Report the kernel error code in case of packet drops due to failures to create NAT map entries. (Backport PR #27652, Upstream PR #25883, @julianwiedmann)
Bugfixes:
bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27998, Upstream PR #27798, @ti-mo)
Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27393, Upstream PR #27312, @julianwiedmann)
Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27925, Upstream PR #27656, @pchaigno)
Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27651, Upstream PR #27590, @hemanthmalla)
Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27393, Upstream PR #27168, @learnitall)
Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27587, Upstream PR #27319, @jrfastab)
Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27998, Upstream PR #27602, @julianwiedmann)
gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27651, Upstream PR #27251, @farodin91)
ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27925, Upstream PR #27818, @mhofstetter)
IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28022, Upstream PR #28012, @jrfastab)
Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27925, Upstream PR #27572, @bimmlerd)
proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27741, Upstream PR #27597, @sayboras)
CI Changes:
.github/workflows: unify time to wait for images to become available (Backport PR #27925, Upstream PR #27706, @tklauser)
Report the kernel error code in case of packet drops due to failures to create NAT map entries. (Backport PR #27652, Upstream PR #25883, @julianwiedmann)
Bugfixes:
bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27998, Upstream PR #27798, @ti-mo)
Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27393, Upstream PR #27312, @julianwiedmann)
Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27925, Upstream PR #27656, @pchaigno)
Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27651, Upstream PR #27590, @hemanthmalla)
Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27393, Upstream PR #27168, @learnitall)
Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27587, Upstream PR #27319, @jrfastab)
Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27998, Upstream PR #27602, @julianwiedmann)
gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27651, Upstream PR #27251, @farodin91)
ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27925, Upstream PR #27818, @mhofstetter)
IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28022, Upstream PR #28012, @jrfastab)
Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27925, Upstream PR #27572, @bimmlerd)
proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27741, Upstream PR #27597, @sayboras)
CI Changes:
.github/workflows: unify time to wait for images to become available (Backport PR #27925, Upstream PR #27706, @tklauser)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/coroot/coroot-node-agent/network/alerts).
Bumps github.com/cilium/cilium from 1.13.2 to 1.13.7.
Release notes
Sourced from github.com/cilium/cilium's releases.
... (truncated)
Changelog
Sourced from github.com/cilium/cilium's changelog.
... (truncated)
Commits
e1eb268
Prepare for release v1.13.7f6ed7d9
chore(deps): update actions/checkout action to v462acd9c
chore(deps): update all lvh-images maina63bd30
images: update cilium-{runtime,builder}5adf2c2
chore(deps): update docker.io/library/golang docker tag to v1.20.8f9265b5
chore(deps): update sigstore/cosign-installer action to v3.1.2100b580
chore(deps): update cilium/coccicheck docker tag to v2.44c2fda4
k8s: Add validation for init policy selection3a1a073
k8s: Restrict configuring reserved:init policy via CNPfea64de
k8s: Change test for reserved:init to CCNPDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show