teletraan-x[bot]
commented
1 year ago π¦ MegaLinter status: β SUCCESS
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| β REPOSITORY | git_diff | yes | no | 0.01s | |
| β REPOSITORY | secretlint | yes | no | 1.63s | |
| β YAML | prettier | 1 | 0 | 0.8s | |
| β YAML | yamllint | 1 | 0 | 0.36s |
See detailed report in MegaLinter reports
_Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff_
_MegaLinter is graciously provided by 
_
This PR contains the following updates:
1.13.3->1.13.4Release Notes
cilium/cilium
### [`v1.13.4`](https://togithub.com/cilium/cilium/releases/tag/v1.13.4): 1.13.4 [Compare Source](https://togithub.com/cilium/cilium/compare/1.13.3...1.13.4) We are pleased to release Cilium v1.13.4. This release addresses the following security issue: - [GHSA-r7wr-4w5q-55m6](https://togithub.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6) It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes. See the notes below for a full description of the changes. ## :warning: Warning - IPsec :warning: **Do NOT upgrade to this release if you are using IPsec.** ## Summary of Changes **Minor Changes:** - Add agent flag `enable-ipsec-key-watcher` to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR [#25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#25893](https://togithub.com/cilium/cilium/issues/25893), [@pchaigno](https://togithub.com/pchaigno)) - Updating documentation helm values now works also on arm64. (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25422](https://togithub.com/cilium/cilium/issues/25422), [@jrajahalme](https://togithub.com/jrajahalme)) **Bugfixes:** - Add drop notifications for various error paths in the datapath. (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25183](https://togithub.com/cilium/cilium/issues/25183), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf,datapath: read jiffies from /proc/schedstat (Backport PR [#25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#25795](https://togithub.com/cilium/cilium/issues/25795), [@ti-mo](https://togithub.com/ti-mo)) - Compare annotations before discarding CiliumNode updates. (Backport PR [#25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#25465](https://togithub.com/cilium/cilium/issues/25465), [@LynneD](https://togithub.com/LynneD)) - CPU overhead regression introduced in v1.13 is fixed. ([#25548](https://togithub.com/cilium/cilium/issues/25548), [@jrajahalme](https://togithub.com/jrajahalme)) - Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR [#25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#25784](https://togithub.com/cilium/cilium/issues/25784), [@pchaigno](https://togithub.com/pchaigno)) - Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR [#25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#25724](https://togithub.com/cilium/cilium/issues/25724), [@pchaigno](https://togithub.com/pchaigno)) - Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR [#25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#25735](https://togithub.com/cilium/cilium/issues/25735), [@pchaigno](https://togithub.com/pchaigno)) - Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR [#25923](https://togithub.com/cilium/cilium/issues/25923), Upstream PR [#25419](https://togithub.com/cilium/cilium/issues/25419), [@bimmlerd](https://togithub.com/bimmlerd)) - Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR [#25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#25744](https://togithub.com/cilium/cilium/issues/25744), [@joamaki](https://togithub.com/joamaki)) - Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host ([#25962](https://togithub.com/cilium/cilium/issues/25962), [@jschwinger233](https://togithub.com/jschwinger233)) - Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR [#26160](https://togithub.com/cilium/cilium/issues/26160), Upstream PR [#26093](https://togithub.com/cilium/cilium/issues/26093), [@pchaigno](https://togithub.com/pchaigno)) - Fix incorrect hubble flow data when HTTP requests contain an `x-forwarded-for` header by adding an explicit `use_remote_address: true` config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of `x-forwarded-for` header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding `x-forwarded-for` headers is retained via an explicit `skip_xff_append: true` config setting, except for Cilium Ingress where the source IP address is now appended to `x-forwarded-for` header. (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25674](https://togithub.com/cilium/cilium/issues/25674), [@jrajahalme](https://togithub.com/jrajahalme)) - Fix leak of IPsec XFRM FWD policies in IPAM modes `cluster-pool`, `kubernetes`, and `crd` when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR [#26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#25953](https://togithub.com/cilium/cilium/issues/25953), [@pchaigno](https://togithub.com/pchaigno)) - Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR [#25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#25426](https://togithub.com/cilium/cilium/issues/25426), [@bleggett](https://togithub.com/bleggett)) - Fix RevSNAT for ICMPv6 packets. (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25306](https://togithub.com/cilium/cilium/issues/25306), [@julianwiedmann](https://togithub.com/julianwiedmann)) - Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR [#25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#25936](https://togithub.com/cilium/cilium/issues/25936), [@joamaki](https://togithub.com/joamaki)) - Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR [#26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#25969](https://togithub.com/cilium/cilium/issues/25969), [@jrajahalme](https://togithub.com/jrajahalme)) - gateway-api: Race condition between routes and Gateway (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25573](https://togithub.com/cilium/cilium/issues/25573), [@sayboras](https://togithub.com/sayboras)) - gateway-api: Skip reconciliation for non-matching controller routes (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25549](https://togithub.com/cilium/cilium/issues/25549), [@sayboras](https://togithub.com/sayboras)) - helm: Correct typo in Ingress validation (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25570](https://togithub.com/cilium/cilium/issues/25570), [@sayboras](https://togithub.com/sayboras)) - Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR [#25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#25803](https://togithub.com/cilium/cilium/issues/25803), [@pchaigno](https://togithub.com/pchaigno)) **CI Changes:** - \[v1.13 backport] test: Switch target FQDN ([#25584](https://togithub.com/cilium/cilium/issues/25584), [@nbusseneau](https://togithub.com/nbusseneau)) - Add github workflow to push development helm charts to quay.io (Backport PR [#26087](https://togithub.com/cilium/cilium/issues/26087), Upstream PR [#25205](https://togithub.com/cilium/cilium/issues/25205), [@chancez](https://togithub.com/chancez)) - hostfw tests flake workaround (Backport PR [#25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#25323](https://togithub.com/cilium/cilium/issues/25323), [@tommyp1ckles](https://togithub.com/tommyp1ckles)) - Pick up the latest startup-script image (Backport PR [#25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#25774](https://togithub.com/cilium/cilium/issues/25774), [@michi-covalent](https://togithub.com/michi-covalent)) - test/k8s: add host firewall workaround for svc host policy test. (Backport PR [#25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#25461](https://togithub.com/cilium/cilium/issues/25461), [@tommyp1ckles](https://togithub.com/tommyp1ckles)) - test/k8s: for services test, wait for all applied manifests to delete (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25341](https://togithub.com/cilium/cilium/issues/25341), [@tommyp1ckles](https://togithub.com/tommyp1ckles)) - test/k8s: quarantine K8sDatapathServicesTest (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25670](https://togithub.com/cilium/cilium/issues/25670), [@aanm](https://togithub.com/aanm)) - test/k8s: update host policies for firewall tests. (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25374](https://togithub.com/cilium/cilium/issues/25374), [@tommyp1ckles](https://togithub.com/tommyp1ckles)) - test: delete ginkgo test "NodePort with L7 Policy from outside" (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25702](https://togithub.com/cilium/cilium/issues/25702), [@jschwinger233](https://togithub.com/jschwinger233)) - test: prevent panic on k8s services host fw test on some runs. (Backport PR [#25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#25747](https://togithub.com/cilium/cilium/issues/25747), [@tommyp1ckles](https://togithub.com/tommyp1ckles)) **Misc Changes:** - backport (v1.13): docs: Promote Deny Policies out of Beta ([#26147](https://togithub.com/cilium/cilium/issues/26147), [@nathanjsweet](https://togithub.com/nathanjsweet)) - bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR [#25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#25742](https://togithub.com/cilium/cilium/issues/25742), [@julianwiedmann](https://togithub.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.13) (patch) ([#25704](https://togithub.com/cilium/cilium/issues/25704), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) ([#25865](https://togithub.com/cilium/cilium/issues/25865), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) ([#26042](https://togithub.com/cilium/cilium/issues/26042), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) ([#25852](https://togithub.com/cilium/cilium/issues/25852), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) ([#25853](https://togithub.com/cilium/cilium/issues/25853), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) ([#25857](https://togithub.com/cilium/cilium/issues/25857), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`ac58ff7`](https://togithub.com/cilium/cilium/commit/ac58ff7) (v1.13) ([#25547](https://togithub.com/cilium/cilium/issues/25547), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) ([#25997](https://togithub.com/cilium/cilium/issues/25997), [@renovate](https://togithub.com/renovate)\[bot]) - ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR [#26200](https://togithub.com/cilium/cilium/issues/26200), Upstream PR [#26197](https://togithub.com/cilium/cilium/issues/26197), [@ti-mo](https://togithub.com/ti-mo)) - docs: Add Bottlerocket OS to validated distros (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25390](https://togithub.com/cilium/cilium/issues/25390), [@nebril](https://togithub.com/nebril)) - docs: document missing entity 'ingress' (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#25665](https://togithub.com/cilium/cilium/issues/25665), [@mhofstetter](https://togithub.com/mhofstetter)) - docs: Fix broken link to backends leak issue (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25278](https://togithub.com/cilium/cilium/issues/25278), [@akhilles](https://togithub.com/akhilles)) - docs: Improve BGP Control Plane page (Backport PR [#25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#23939](https://togithub.com/cilium/cilium/issues/23939), [@krouma](https://togithub.com/krouma)) - gateway-api: Remove unused function check ([#26058](https://togithub.com/cilium/cilium/issues/26058), [@ferozsalam](https://togithub.com/ferozsalam)) - install: Fail helm if kube-proxy-replacement is not valid (Backport PR [#25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#25907](https://togithub.com/cilium/cilium/issues/25907), [@jrajahalme](https://togithub.com/jrajahalme)) - ipsec: Fix cleanup of XFRM states and policies (Backport PR [#26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#26072](https://togithub.com/cilium/cilium/issues/26072), [@pchaigno](https://togithub.com/pchaigno)) - Slim down Node handler interface (Backport PR [#25923](https://togithub.com/cilium/cilium/issues/25923), Upstream PR [#25450](https://togithub.com/cilium/cilium/issues/25450), [@bimmlerd](https://togithub.com/bimmlerd)) - test/provision/compile.sh: Make usable from dev VM (Backport PR [#25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#25352](https://togithub.com/cilium/cilium/issues/25352), [@jrajahalme](https://togithub.com/jrajahalme)) - Update network attacker sections of the threat model (Backport PR [#25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#25640](https://togithub.com/cilium/cilium/issues/25640), [@ferozsalam](https://togithub.com/ferozsalam)) **Other Changes:** - envoy: Bump envoy version to v1.23.10 ([#25884](https://togithub.com/cilium/cilium/issues/25884), [@mhofstetter](https://togithub.com/mhofstetter)) - install: Update image digests for v1.13.3 ([#25726](https://togithub.com/cilium/cilium/issues/25726), [@thorn3r](https://togithub.com/thorn3r)) - wireguard: Always unset fwMark ([#25858](https://togithub.com/cilium/cilium/issues/25858), [@brb](https://togithub.com/brb)) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `quay.io/cilium/cilium:v1.13.4@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `docker.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `quay.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `quay.io/cilium/clustermesh-apiserver:v1.13.4@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `docker.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `quay.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `quay.io/cilium/docker-plugin:v1.13.4@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `docker.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `quay.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.13.4@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `quay.io/cilium/hubble-relay:v1.13.4@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `docker.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `quay.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.13.4@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `quay.io/cilium/operator-alibabacloud:v1.13.4@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `docker.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `quay.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` ##### operator-aws `docker.io/cilium/operator-aws:v1.13.4@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `quay.io/cilium/operator-aws:v1.13.4@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `docker.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `quay.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` ##### operator-azure `docker.io/cilium/operator-azure:v1.13.4@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `quay.io/cilium/operator-azure:v1.13.4@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `docker.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `quay.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` ##### operator-generic `docker.io/cilium/operator-generic:v1.13.4@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `quay.io/cilium/operator-generic:v1.13.4@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `docker.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `quay.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` ##### operator `docker.io/cilium/operator:v1.13.4@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `quay.io/cilium/operator:v1.13.4@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `docker.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `quay.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464`Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.