search

unchama / kube-cluster-on-proxmox

Proxmox環境でサクッと作ってサクっと壊せる高可用性なkubernetesクラスタを作ってみる
MIT License
51 stars 4 forks source link

chore(deps): update helm release cilium to v1.13.4 #73

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Update Change
cilium (source) minor 1.12.2 -> 1.13.4

Release Notes

cilium/cilium ### [`v1.13.4`](https://togithub.com/cilium/cilium/releases/tag/v1.13.4): 1.13.4 [Compare Source](https://togithub.com/cilium/cilium/compare/1.13.3...1.13.4) We are pleased to release Cilium v1.13.4. This release addresses the following security issue: - [GHSA-r7wr-4w5q-55m6](https://togithub.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6) It aslso contains fixes related to IPsec, datapath drop notifications, CPU overhead, downgrade path, RevSNAT for ICMPv6, as well as a range of other regular bugfixes. See the notes below for a full description of the changes. ## :warning: Warning - IPsec :warning: **Do NOT upgrade to this release if you are using IPsec.** ## Summary of Changes **Minor Changes:** - Add agent flag `enable-ipsec-key-watcher` to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR [#​25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#​25893](https://togithub.com/cilium/cilium/issues/25893), [@​pchaigno](https://togithub.com/pchaigno)) - Updating documentation helm values now works also on arm64. (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25422](https://togithub.com/cilium/cilium/issues/25422), [@​jrajahalme](https://togithub.com/jrajahalme)) **Bugfixes:** - Add drop notifications for various error paths in the datapath. (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25183](https://togithub.com/cilium/cilium/issues/25183), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf,datapath: read jiffies from /proc/schedstat (Backport PR [#​25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#​25795](https://togithub.com/cilium/cilium/issues/25795), [@​ti-mo](https://togithub.com/ti-mo)) - Compare annotations before discarding CiliumNode updates. (Backport PR [#​25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#​25465](https://togithub.com/cilium/cilium/issues/25465), [@​LynneD](https://togithub.com/LynneD)) - CPU overhead regression introduced in v1.13 is fixed. ([#​25548](https://togithub.com/cilium/cilium/issues/25548), [@​jrajahalme](https://togithub.com/jrajahalme)) - Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR [#​25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#​25784](https://togithub.com/cilium/cilium/issues/25784), [@​pchaigno](https://togithub.com/pchaigno)) - Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR [#​25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#​25724](https://togithub.com/cilium/cilium/issues/25724), [@​pchaigno](https://togithub.com/pchaigno)) - Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR [#​25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#​25735](https://togithub.com/cilium/cilium/issues/25735), [@​pchaigno](https://togithub.com/pchaigno)) - Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR [#​25923](https://togithub.com/cilium/cilium/issues/25923), Upstream PR [#​25419](https://togithub.com/cilium/cilium/issues/25419), [@​bimmlerd](https://togithub.com/bimmlerd)) - Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR [#​25897](https://togithub.com/cilium/cilium/issues/25897), Upstream PR [#​25744](https://togithub.com/cilium/cilium/issues/25744), [@​joamaki](https://togithub.com/joamaki)) - Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host ([#​25962](https://togithub.com/cilium/cilium/issues/25962), [@​jschwinger233](https://togithub.com/jschwinger233)) - Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR [#​26160](https://togithub.com/cilium/cilium/issues/26160), Upstream PR [#​26093](https://togithub.com/cilium/cilium/issues/26093), [@​pchaigno](https://togithub.com/pchaigno)) - Fix incorrect hubble flow data when HTTP requests contain an `x-forwarded-for` header by adding an explicit `use_remote_address: true` config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of `x-forwarded-for` header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding `x-forwarded-for` headers is retained via an explicit `skip_xff_append: true` config setting, except for Cilium Ingress where the source IP address is now appended to `x-forwarded-for` header. (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25674](https://togithub.com/cilium/cilium/issues/25674), [@​jrajahalme](https://togithub.com/jrajahalme)) - Fix leak of IPsec XFRM FWD policies in IPAM modes `cluster-pool`, `kubernetes`, and `crd` when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR [#​26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#​25953](https://togithub.com/cilium/cilium/issues/25953), [@​pchaigno](https://togithub.com/pchaigno)) - Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR [#​25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#​25426](https://togithub.com/cilium/cilium/issues/25426), [@​bleggett](https://togithub.com/bleggett)) - Fix RevSNAT for ICMPv6 packets. (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25306](https://togithub.com/cilium/cilium/issues/25306), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR [#​25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#​25936](https://togithub.com/cilium/cilium/issues/25936), [@​joamaki](https://togithub.com/joamaki)) - Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR [#​26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#​25969](https://togithub.com/cilium/cilium/issues/25969), [@​jrajahalme](https://togithub.com/jrajahalme)) - gateway-api: Race condition between routes and Gateway (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25573](https://togithub.com/cilium/cilium/issues/25573), [@​sayboras](https://togithub.com/sayboras)) - gateway-api: Skip reconciliation for non-matching controller routes (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25549](https://togithub.com/cilium/cilium/issues/25549), [@​sayboras](https://togithub.com/sayboras)) - helm: Correct typo in Ingress validation (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25570](https://togithub.com/cilium/cilium/issues/25570), [@​sayboras](https://togithub.com/sayboras)) - Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR [#​25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#​25803](https://togithub.com/cilium/cilium/issues/25803), [@​pchaigno](https://togithub.com/pchaigno)) **CI Changes:** - \[v1.13 backport] test: Switch target FQDN ([#​25584](https://togithub.com/cilium/cilium/issues/25584), [@​nbusseneau](https://togithub.com/nbusseneau)) - Add github workflow to push development helm charts to quay.io (Backport PR [#​26087](https://togithub.com/cilium/cilium/issues/26087), Upstream PR [#​25205](https://togithub.com/cilium/cilium/issues/25205), [@​chancez](https://togithub.com/chancez)) - hostfw tests flake workaround (Backport PR [#​25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#​25323](https://togithub.com/cilium/cilium/issues/25323), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - Pick up the latest startup-script image (Backport PR [#​25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#​25774](https://togithub.com/cilium/cilium/issues/25774), [@​michi-covalent](https://togithub.com/michi-covalent)) - test/k8s: add host firewall workaround for svc host policy test. (Backport PR [#​25588](https://togithub.com/cilium/cilium/issues/25588), Upstream PR [#​25461](https://togithub.com/cilium/cilium/issues/25461), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - test/k8s: for services test, wait for all applied manifests to delete (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25341](https://togithub.com/cilium/cilium/issues/25341), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - test/k8s: quarantine K8sDatapathServicesTest (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25670](https://togithub.com/cilium/cilium/issues/25670), [@​aanm](https://togithub.com/aanm)) - test/k8s: update host policies for firewall tests. (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25374](https://togithub.com/cilium/cilium/issues/25374), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - test: delete ginkgo test "NodePort with L7 Policy from outside" (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25702](https://togithub.com/cilium/cilium/issues/25702), [@​jschwinger233](https://togithub.com/jschwinger233)) - test: prevent panic on k8s services host fw test on some runs. (Backport PR [#​25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#​25747](https://togithub.com/cilium/cilium/issues/25747), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) **Misc Changes:** - backport (v1.13): docs: Promote Deny Policies out of Beta ([#​26147](https://togithub.com/cilium/cilium/issues/26147), [@​nathanjsweet](https://togithub.com/nathanjsweet)) - bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR [#​25855](https://togithub.com/cilium/cilium/issues/25855), Upstream PR [#​25742](https://togithub.com/cilium/cilium/issues/25742), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.13) (patch) ([#​25704](https://togithub.com/cilium/cilium/issues/25704), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) ([#​25865](https://togithub.com/cilium/cilium/issues/25865), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) ([#​26042](https://togithub.com/cilium/cilium/issues/26042), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) ([#​25852](https://togithub.com/cilium/cilium/issues/25852), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) ([#​25853](https://togithub.com/cilium/cilium/issues/25853), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) ([#​25857](https://togithub.com/cilium/cilium/issues/25857), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`ac58ff7`](https://togithub.com/cilium/cilium/commit/ac58ff7) (v1.13) ([#​25547](https://togithub.com/cilium/cilium/issues/25547), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) ([#​25997](https://togithub.com/cilium/cilium/issues/25997), [@​renovate](https://togithub.com/renovate)\[bot]) - ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR [#​26200](https://togithub.com/cilium/cilium/issues/26200), Upstream PR [#​26197](https://togithub.com/cilium/cilium/issues/26197), [@​ti-mo](https://togithub.com/ti-mo)) - docs: Add Bottlerocket OS to validated distros (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25390](https://togithub.com/cilium/cilium/issues/25390), [@​nebril](https://togithub.com/nebril)) - docs: document missing entity 'ingress' (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​25665](https://togithub.com/cilium/cilium/issues/25665), [@​mhofstetter](https://togithub.com/mhofstetter)) - docs: Fix broken link to backends leak issue (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25278](https://togithub.com/cilium/cilium/issues/25278), [@​akhilles](https://togithub.com/akhilles)) - docs: Improve BGP Control Plane page (Backport PR [#​25731](https://togithub.com/cilium/cilium/issues/25731), Upstream PR [#​23939](https://togithub.com/cilium/cilium/issues/23939), [@​krouma](https://togithub.com/krouma)) - gateway-api: Remove unused function check ([#​26058](https://togithub.com/cilium/cilium/issues/26058), [@​ferozsalam](https://togithub.com/ferozsalam)) - install: Fail helm if kube-proxy-replacement is not valid (Backport PR [#​25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#​25907](https://togithub.com/cilium/cilium/issues/25907), [@​jrajahalme](https://togithub.com/jrajahalme)) - ipsec: Fix cleanup of XFRM states and policies (Backport PR [#​26079](https://togithub.com/cilium/cilium/issues/26079), Upstream PR [#​26072](https://togithub.com/cilium/cilium/issues/26072), [@​pchaigno](https://togithub.com/pchaigno)) - Slim down Node handler interface (Backport PR [#​25923](https://togithub.com/cilium/cilium/issues/25923), Upstream PR [#​25450](https://togithub.com/cilium/cilium/issues/25450), [@​bimmlerd](https://togithub.com/bimmlerd)) - test/provision/compile.sh: Make usable from dev VM (Backport PR [#​25503](https://togithub.com/cilium/cilium/issues/25503), Upstream PR [#​25352](https://togithub.com/cilium/cilium/issues/25352), [@​jrajahalme](https://togithub.com/jrajahalme)) - Update network attacker sections of the threat model (Backport PR [#​25977](https://togithub.com/cilium/cilium/issues/25977), Upstream PR [#​25640](https://togithub.com/cilium/cilium/issues/25640), [@​ferozsalam](https://togithub.com/ferozsalam)) **Other Changes:** - envoy: Bump envoy version to v1.23.10 ([#​25884](https://togithub.com/cilium/cilium/issues/25884), [@​mhofstetter](https://togithub.com/mhofstetter)) - install: Update image digests for v1.13.3 ([#​25726](https://togithub.com/cilium/cilium/issues/25726), [@​thorn3r](https://togithub.com/thorn3r)) - wireguard: Always unset fwMark ([#​25858](https://togithub.com/cilium/cilium/issues/25858), [@​brb](https://togithub.com/brb)) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.13.4@​sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `quay.io/cilium/cilium:v1.13.4@​sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `docker.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` `quay.io/cilium/cilium:stable@sha256:bde8800d61aaad8b8451b10e247ac7bdeb7af187bb698f83d40ad75a38c1ee6b` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.13.4@​sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `quay.io/cilium/clustermesh-apiserver:v1.13.4@​sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `docker.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` `quay.io/cilium/clustermesh-apiserver:stable@sha256:3f2bb561ddcf45bd7c598b6846439518c6f4fc735a08e518587da8849496235a` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.13.4@​sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `quay.io/cilium/docker-plugin:v1.13.4@​sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `docker.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` `quay.io/cilium/docker-plugin:stable@sha256:1a11d2f643b92ff4ece29adf7c945795c3faacbc9a47e0089bf6fb6e944c0ae1` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.13.4@​sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `quay.io/cilium/hubble-relay:v1.13.4@​sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `docker.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` `quay.io/cilium/hubble-relay:stable@sha256:bac057a5130cf75adf5bc363292b1f2642c0c460ac9ff018fcae3daf64873871` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.13.4@​sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `quay.io/cilium/operator-alibabacloud:v1.13.4@​sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `docker.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` `quay.io/cilium/operator-alibabacloud:stable@sha256:6938be50749205631c02d72277e35199a1adec1323c9310dc2d96911784b1a69` ##### operator-aws `docker.io/cilium/operator-aws:v1.13.4@​sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `quay.io/cilium/operator-aws:v1.13.4@​sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `docker.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` `quay.io/cilium/operator-aws:stable@sha256:c6bde19bbfe1483577f9ef375ff6de19402ac20277c451fe05729fcb9bc02a84` ##### operator-azure `docker.io/cilium/operator-azure:v1.13.4@​sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `quay.io/cilium/operator-azure:v1.13.4@​sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `docker.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` `quay.io/cilium/operator-azure:stable@sha256:55bb91b96c2e3361b3e622b42c8925a31f2f7124150666696030f15d718cd83e` ##### operator-generic `docker.io/cilium/operator-generic:v1.13.4@​sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `quay.io/cilium/operator-generic:v1.13.4@​sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `docker.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` `quay.io/cilium/operator-generic:stable@sha256:09ab77d324ef4d31f7d341f97ec5a2a4860910076046d57a2d61494d426c6301` ##### operator `docker.io/cilium/operator:v1.13.4@​sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `quay.io/cilium/operator:v1.13.4@​sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `docker.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` `quay.io/cilium/operator:stable@sha256:f2068be1706717d0e0b29489dc0b93bf7f1940d18e0bea2def937286beb48464` ### [`v1.13.3`](https://togithub.com/cilium/cilium/releases/tag/v1.13.3): 1.13.3 [Compare Source](https://togithub.com/cilium/cilium/compare/1.13.2...1.13.3) We are pleased to release Cilium v1.13.3. This release fixes bugs in ipsec and policy implementations and is recommended for all users. ## Summary of Changes **Major Changes:** - Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR [#​25019](https://togithub.com/cilium/cilium/issues/25019), Upstream PR [#​24826](https://togithub.com/cilium/cilium/issues/24826), [@​jrajahalme](https://togithub.com/jrajahalme)) - policy: Promote Deny Policies from Beta to Stable ([#​25427](https://togithub.com/cilium/cilium/issues/25427), [@​nathanjsweet](https://togithub.com/nathanjsweet)) **Minor Changes:** - Drop traffic matching an egress gateway policy when no gateway are found (Backport PR [#​24999](https://togithub.com/cilium/cilium/issues/24999), Upstream PR [#​24835](https://togithub.com/cilium/cilium/issues/24835), [@​MrFreezeex](https://togithub.com/MrFreezeex)) - ingress: Add ownerReferences for shared mode (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24942](https://togithub.com/cilium/cilium/issues/24942), [@​sayboras](https://togithub.com/sayboras)) - sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​23937](https://togithub.com/cilium/cilium/issues/23937), [@​marseel](https://togithub.com/marseel)) - Update CNI (loopback) to 1.3.0 (Backport PR [#​25454](https://togithub.com/cilium/cilium/issues/25454), Upstream PR [#​25400](https://togithub.com/cilium/cilium/issues/25400), [@​anfernee](https://togithub.com/anfernee)) - Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​24914](https://togithub.com/cilium/cilium/issues/24914), [@​margau](https://togithub.com/margau)) **Bugfixes:** - Add support for builtin kernel modules (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​23953](https://togithub.com/cilium/cilium/issues/23953), [@​TheAifam5](https://togithub.com/TheAifam5)) - Address cilium-agent startup performance regression. (Backport PR [#​25185](https://togithub.com/cilium/cilium/issues/25185), Upstream PR [#​25007](https://togithub.com/cilium/cilium/issues/25007), [@​bimmlerd](https://togithub.com/bimmlerd)) - cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR [#​25184](https://togithub.com/cilium/cilium/issues/25184), Upstream PR [#​25117](https://togithub.com/cilium/cilium/issues/25117), [@​pchaigno](https://togithub.com/pchaigno)) - datapath: Fix double SNAT (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25189](https://togithub.com/cilium/cilium/issues/25189), [@​brb](https://togithub.com/brb)) - DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25147](https://togithub.com/cilium/cilium/issues/25147), [@​jrajahalme](https://togithub.com/jrajahalme)) - Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​25043](https://togithub.com/cilium/cilium/issues/25043), [@​harsimran-pabla](https://togithub.com/harsimran-pabla)) - Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR [#​25368](https://togithub.com/cilium/cilium/issues/25368), Upstream PR [#​25298](https://togithub.com/cilium/cilium/issues/25298), [@​asauber](https://togithub.com/asauber)) - Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR [#​25086](https://togithub.com/cilium/cilium/issues/25086), Upstream PR [#​24807](https://togithub.com/cilium/cilium/issues/24807), [@​jschwinger233](https://togithub.com/jschwinger233)) - Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. ([#​25241](https://togithub.com/cilium/cilium/issues/25241), [@​giorio94](https://togithub.com/giorio94)) - Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​25024](https://togithub.com/cilium/cilium/issues/25024), [@​pchaigno](https://togithub.com/pchaigno)) - Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24825](https://togithub.com/cilium/cilium/issues/24825), [@​christarazi](https://togithub.com/christarazi)) - Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24785](https://togithub.com/cilium/cilium/issues/24785), [@​giorio94](https://togithub.com/giorio94)) - Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25087](https://togithub.com/cilium/cilium/issues/25087), [@​joamaki](https://togithub.com/joamaki)) - Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR [#​25184](https://togithub.com/cilium/cilium/issues/25184), Upstream PR [#​24838](https://togithub.com/cilium/cilium/issues/24838), [@​alan-kut](https://togithub.com/alan-kut)) - Fix operator shutdown hanging when kvstore is enabled (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​24979](https://togithub.com/cilium/cilium/issues/24979), [@​giorio94](https://togithub.com/giorio94)) - Fix operator startup delay caused by leader election lease not being released correctly (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​24978](https://togithub.com/cilium/cilium/issues/24978), [@​giorio94](https://togithub.com/giorio94)) - Fix panic due to assignment to nil BGP service announcements map. (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24985](https://togithub.com/cilium/cilium/issues/24985), [@​harsimran-pabla](https://togithub.com/harsimran-pabla)) - Fix permission issue when copying cni plugins onto host path (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​24891](https://togithub.com/cilium/cilium/issues/24891), [@​JohnJAS](https://togithub.com/JohnJAS)) - Fix security-group-tags not working in ENI (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24951](https://togithub.com/cilium/cilium/issues/24951), [@​aanm](https://togithub.com/aanm)) - Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25222](https://togithub.com/cilium/cilium/issues/25222), [@​bimmlerd](https://togithub.com/bimmlerd)) - Fix syncing of relevant node annotations into CiliumNode (Backport PR [#​25368](https://togithub.com/cilium/cilium/issues/25368), Upstream PR [#​25307](https://togithub.com/cilium/cilium/issues/25307), [@​meyskens](https://togithub.com/meyskens)) - Fix the bug when long-living connections using egress gateway may be reset. (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​24905](https://togithub.com/cilium/cilium/issues/24905), [@​gentoo-root](https://togithub.com/gentoo-root)) - ipcache don't short-circuit InjectLabels if source differs (Backport PR [#​25077](https://togithub.com/cilium/cilium/issues/25077), Upstream PR [#​24875](https://togithub.com/cilium/cilium/issues/24875), [@​squeed](https://togithub.com/squeed)) - pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24786](https://togithub.com/cilium/cilium/issues/24786), [@​hemanthmalla](https://togithub.com/hemanthmalla)) - Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR [#​25424](https://togithub.com/cilium/cilium/issues/25424), Upstream PR [#​25112](https://togithub.com/cilium/cilium/issues/25112), [@​gentoo-root](https://togithub.com/gentoo-root)) - When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​22978](https://togithub.com/cilium/cilium/issues/22978), [@​julianwiedmann](https://togithub.com/julianwiedmann)) **CI Changes:** - Always use the 8.8.8.8 DNS resolver in kind (Backport PR [#​25409](https://togithub.com/cilium/cilium/issues/25409), Upstream PR [#​24713](https://togithub.com/cilium/cilium/issues/24713), [@​aspsk](https://togithub.com/aspsk)) - ci: remove `STATUS` commands from upstream tests' Jenkinsfile (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​25046](https://togithub.com/cilium/cilium/issues/25046), [@​nbusseneau](https://togithub.com/nbusseneau)) - Delete "Cilium monitor verbose mode" test (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25212](https://togithub.com/cilium/cilium/issues/25212), [@​michi-covalent](https://togithub.com/michi-covalent)) - Enable testing of BPF programs requiring XDP_TX in CI (Backport PR [#​25409](https://togithub.com/cilium/cilium/issues/25409), Upstream PR [#​24250](https://togithub.com/cilium/cilium/issues/24250), [@​lmb](https://togithub.com/lmb)) - inctimer: fix test flake where timer does not fire within time. (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25219](https://togithub.com/cilium/cilium/issues/25219), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - jenkinsfiles: Fix order of ginkgo tests (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​25002](https://togithub.com/cilium/cilium/issues/25002), [@​pchaigno](https://togithub.com/pchaigno)) - mlh: update Jenkins jobs following removal of kernel 4.9 support ([#​24955](https://togithub.com/cilium/cilium/issues/24955), [@​nbusseneau](https://togithub.com/nbusseneau)) - test: Unquarantine host firewall + nodeport test (Backport PR [#​25184](https://togithub.com/cilium/cilium/issues/25184), Upstream PR [#​25025](https://togithub.com/cilium/cilium/issues/25025), [@​pchaigno](https://togithub.com/pchaigno)) **Misc Changes:** - bpf: dsr: don't track L2 addresses for DSR traffic (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​24524](https://togithub.com/cilium/cilium/issues/24524), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​24794](https://togithub.com/cilium/cilium/issues/24794), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: lb: introduce an optimized CT lookup (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​22936](https://togithub.com/cilium/cilium/issues/22936), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: minor CT cleanups (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​23718](https://togithub.com/cilium/cilium/issues/23718), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: nodeport: minor DSR improvements (Backport PR [#​24795](https://togithub.com/cilium/cilium/issues/24795), Upstream PR [#​23326](https://togithub.com/cilium/cilium/issues/23326), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - chore(deps): update docker.io/library/golang:1.19.8 docker digest to [`9f2dd04`](https://togithub.com/cilium/cilium/commit/9f2dd04) (v1.13) ([#​25421](https://togithub.com/cilium/cilium/issues/25421), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.11.5 (v1.13) (patch) ([#​25125](https://togithub.com/cilium/cilium/issues/25125), [@​renovate](https://togithub.com/renovate)\[bot]) - daemon: Mark CES feature as beta in agent flag (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24850](https://togithub.com/cilium/cilium/issues/24850), [@​pchaigno](https://togithub.com/pchaigno)) - docs: `socketLB.hostNamespaceOnly` also needed for gVisor (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25322](https://togithub.com/cilium/cilium/issues/25322), [@​pchaigno](https://togithub.com/pchaigno)) - docs: Add matrix version between envoy and cilium (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25109](https://togithub.com/cilium/cilium/issues/25109), [@​sayboras](https://togithub.com/sayboras)) - docs: Add platform support to docs (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25174](https://togithub.com/cilium/cilium/issues/25174), [@​joestringer](https://togithub.com/joestringer)) - docs: small fixes for k8s upgrade guide (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24869](https://togithub.com/cilium/cilium/issues/24869), [@​tklauser](https://togithub.com/tklauser)) - Documentation: add migration document (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​23751](https://togithub.com/cilium/cilium/issues/23751), [@​squeed](https://togithub.com/squeed)) - documentation: move policy warning to v1.13.2 section ([#​24997](https://togithub.com/cilium/cilium/issues/24997), [@​squeed](https://togithub.com/squeed)) - envoy: Debug log remote IDs for Envoy policies (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24939](https://togithub.com/cilium/cilium/issues/24939), [@​jrajahalme](https://togithub.com/jrajahalme)) - Fix missed clustermesh config change race condition with back-to-back changes (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24993](https://togithub.com/cilium/cilium/issues/24993), [@​giorio94](https://togithub.com/giorio94)) - Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25230](https://togithub.com/cilium/cilium/issues/25230), [@​giorio94](https://togithub.com/giorio94)) - Fixed documentation regarding cilium versioning scheme and support (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25171](https://togithub.com/cilium/cilium/issues/25171), [@​ayesha-kr](https://togithub.com/ayesha-kr)) - gha: Add retry mechanism in http test (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25244](https://togithub.com/cilium/cilium/issues/25244), [@​sayboras](https://togithub.com/sayboras)) - helm: add clustermesh nodeport config warning about known bug [#​24692](https://togithub.com/cilium/cilium/issues/24692) (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25033](https://togithub.com/cilium/cilium/issues/25033), [@​giorio94](https://togithub.com/giorio94)) - hive: Don't log interrupt signal as error (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​23880](https://togithub.com/cilium/cilium/issues/23880), [@​joamaki](https://togithub.com/joamaki)) - ipsec: Install default-drop XFRM policy sooner (Backport PR [#​25346](https://togithub.com/cilium/cilium/issues/25346), Upstream PR [#​25257](https://togithub.com/cilium/cilium/issues/25257), [@​pchaigno](https://togithub.com/pchaigno)) - Makefile: use a specific template for mktemp files (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​25192](https://togithub.com/cilium/cilium/issues/25192), [@​kaworu](https://togithub.com/kaworu)) - node/manager: Only remove old IPs if they weren't already added (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​25067](https://togithub.com/cilium/cilium/issues/25067), [@​christarazi](https://togithub.com/christarazi)) - pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR [#​25223](https://togithub.com/cilium/cilium/issues/25223), Upstream PR [#​24770](https://togithub.com/cilium/cilium/issues/24770), [@​aditighag](https://togithub.com/aditighag)) - Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24874](https://togithub.com/cilium/cilium/issues/24874), [@​tklauser](https://togithub.com/tklauser)) - Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (Backport PR [#​25137](https://togithub.com/cilium/cilium/issues/25137), Upstream PR [#​25078](https://togithub.com/cilium/cilium/issues/25078), [@​toredash](https://togithub.com/toredash)) - Update threat model (Backport PR [#​25013](https://togithub.com/cilium/cilium/issues/25013), Upstream PR [#​24760](https://togithub.com/cilium/cilium/issues/24760), [@​ferozsalam](https://togithub.com/ferozsalam)) **Other Changes:** - \[v1.13] contrib/backporting: Fix main branch reference ([#​25091](https://togithub.com/cilium/cilium/issues/25091), [@​joestringer](https://togithub.com/joestringer)) - envoy: Upgrade to v1.23.9 ([#​25208](https://togithub.com/cilium/cilium/issues/25208), [@​sayboras](https://togithub.com/sayboras)) - install: Update image digests for v1.13.2 ([#​24952](https://togithub.com/cilium/cilium/issues/24952), [@​gentoo-root](https://togithub.com/gentoo-root)) - v1.13: docs: Document upgrade impact for IPsec ([#​24963](https://togithub.com/cilium/cilium/issues/24963), [@​pchaigno](https://togithub.com/pchaigno)) - v1.13: docs: Fix typo in IPsec upgrade note ([#​24973](https://togithub.com/cilium/cilium/issues/24973), [@​pchaigno](https://togithub.com/pchaigno)) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.13.3@​sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314` `quay.io/cilium/cilium:v1.13.3@​sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314` `docker.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314` `quay.io/cilium/cilium:stable@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.13.3@​sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a` `quay.io/cilium/clustermesh-apiserver:v1.13.3@​sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a` `docker.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a` `quay.io/cilium/clustermesh-apiserver:stable@sha256:5ad8e9dc17f5677d1d75b53a4e80ec2e5c4fcf4973ced8b30f8ad53933c6969a` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.13.3@​sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860` `quay.io/cilium/docker-plugin:v1.13.3@​sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860` `docker.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860` `quay.io/cilium/docker-plugin:stable@sha256:e94d344c8e059ce87453dff579086bd0bed9d65e69434ad60eef783380c4e860` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.13.3@​sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6` `quay.io/cilium/hubble-relay:v1.13.3@​sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6` `docker.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6` `quay.io/cilium/hubble-relay:stable@sha256:19e4aae5ff72cd9fbcb7d2d16a1570533320a478acc015fc91a4d41a177cadf6` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.13.3@​sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb` `quay.io/cilium/operator-alibabacloud:v1.13.3@​sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb` `docker.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb` `quay.io/cilium/operator-alibabacloud:stable@sha256:8dba4795cb38200746a2236623f5b84742ee2c56a8afda724c85f5027ea854eb` ##### operator-aws `docker.io/cilium/operator-aws:v1.13.3@​sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae` `quay.io/cilium/operator-aws:v1.13.3@​sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae` `docker.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae` `quay.io/cilium/operator-aws:stable@sha256:394c40d156235d3c2004f77bb73402457092351cc6debdbc5727ba36fbd863ae` ##### operator-azure `docker.io/cilium/operator-azure:v1.13.3@​sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8` `quay.io/cilium/operator-azure:v1.13.3@​sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8` `docker.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8` `quay.io/cilium/operator-azure:stable@sha256:7749b732d510954d9fb74f7e675b31b49100fd773e588c6fbbf42529acfb1be8` ##### operator-generic `docker.io/cilium/operator-generic:v1.13.3@​sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910` `quay.io/cilium/operator-generic:v1.13.3@​sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910` `docker.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910` `quay.io/cilium/operator-generic:stable@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910` ##### operator `docker.io/cilium/operator:v1.13.3@​sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c` `quay.io/cilium/operator:v1.13.3@​sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c` `docker.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c` `quay.io/cilium/operator:stable@sha256:70245141d9c38df09c4c3884f61af81036672059b1ae45e8b1e2175b6cc0998c` ### [`v1.13.2`](https://togithub.com/cilium/cilium/releases/tag/v1.13.2): 1.13.2 [Compare Source](https://togithub.com/cilium/cilium/compare/1.13.1...1.13.2) We are pleased to release Cilium v1.13.2. This release addresses the following security issue: - [GHSA-pg5p-wwp8-97g8](https://togithub.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8) Note: When updating to this release, make sure that you are using new helm chart version. ## Summary of Changes **Known Issues:** - There is a known issue ([#​24502](https://togithub.com/cilium/cilium/issues/24502)) with CiliumNetworkPolicies that makes the `kube-apiserver` entity unreliable. Until this is resolved, it is recommended to remain on Cilium v1.12 or earlier if you are using the `kube-apiserver` entity in your CiliumNetworkPolicies. **Minor Changes:** - envoy: Bump envoy to v1.23.8 ([#​24909](https://togithub.com/cilium/cilium/issues/24909), [@​sayboras](https://togithub.com/sayboras)) - envoy: Bump envoy version to v1.23.7 ([#​24746](https://togithub.com/cilium/cilium/issues/24746), [@​sayboras](https://togithub.com/sayboras)) - Move poststart eni script to agent pod from nodeinit pod (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24134](https://togithub.com/cilium/cilium/issues/24134), [@​nebril](https://togithub.com/nebril)) - Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR [#​24821](https://togithub.com/cilium/cilium/issues/24821), Upstream PR [#​24612](https://togithub.com/cilium/cilium/issues/24612), [@​harsimran-pabla](https://togithub.com/harsimran-pabla)) - Support L2-less devices with fast forward (bpf-based host routing) (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​23935](https://togithub.com/cilium/cilium/issues/23935), [@​jschwinger233](https://togithub.com/jschwinger233)) **Bugfixes:** - agent: rework clustermesh config watcher for increased robustness (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24163](https://togithub.com/cilium/cilium/issues/24163), [@​giorio94](https://togithub.com/giorio94)) - bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR [#​24821](https://togithub.com/cilium/cilium/issues/24821), Upstream PR [#​24792](https://togithub.com/cilium/cilium/issues/24792), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: fix ipv6 extension header parsing error (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24309](https://togithub.com/cilium/cilium/issues/24309), [@​chenyuezhou](https://togithub.com/chenyuezhou)) - bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR [#​24821](https://togithub.com/cilium/cilium/issues/24821), Upstream PR [#​24797](https://togithub.com/cilium/cilium/issues/24797), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR [#​24607](https://togithub.com/cilium/cilium/issues/24607), Upstream PR [#​24339](https://togithub.com/cilium/cilium/issues/24339), [@​giorio94](https://togithub.com/giorio94)) - daemon: initialize datapath before compiling sockops programs (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24140](https://togithub.com/cilium/cilium/issues/24140), [@​jibi](https://togithub.com/jibi)) - egressgw: update all internal caches once k8s state is synced (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24034](https://togithub.com/cilium/cilium/issues/24034), [@​jibi](https://togithub.com/jibi)) - endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24575](https://togithub.com/cilium/cilium/issues/24575), [@​mhofstetter](https://togithub.com/mhofstetter)) - Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24046](https://togithub.com/cilium/cilium/issues/24046), [@​oblazek](https://togithub.com/oblazek)) - Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24619](https://togithub.com/cilium/cilium/issues/24619), [@​giorio94](https://togithub.com/giorio94)) - Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24304](https://togithub.com/cilium/cilium/issues/24304), [@​dylandreimerink](https://togithub.com/dylandreimerink)) - Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​23764](https://togithub.com/cilium/cilium/issues/23764), [@​christarazi](https://togithub.com/christarazi)) - Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24189](https://togithub.com/cilium/cilium/issues/24189), [@​forgems](https://togithub.com/forgems)) - Fix for disabled cloud provider rate limiting (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24413](https://togithub.com/cilium/cilium/issues/24413), [@​hemanthmalla](https://togithub.com/hemanthmalla)) - Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible ([#​24870](https://togithub.com/cilium/cilium/issues/24870), [@​aanm](https://togithub.com/aanm)) - Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR [#​24843](https://togithub.com/cilium/cilium/issues/24843), Upstream PR [#​24788](https://togithub.com/cilium/cilium/issues/24788), [@​jrajahalme](https://togithub.com/jrajahalme)) - gateway-api: Re-queue gateway for namespace change (Backport PR [#​24758](https://togithub.com/cilium/cilium/issues/24758), Upstream PR [#​24624](https://togithub.com/cilium/cilium/issues/24624), [@​sayboras](https://togithub.com/sayboras)) - Handle leaked service backends that may lead to filling up of `lb4_backends` map and thereby connectivity issues. (Backport PR [#​24758](https://togithub.com/cilium/cilium/issues/24758), Upstream PR [#​24681](https://togithub.com/cilium/cilium/issues/24681), [@​aditighag](https://togithub.com/aditighag)) - helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR [#​24821](https://togithub.com/cilium/cilium/issues/24821), Upstream PR [#​24666](https://togithub.com/cilium/cilium/issues/24666), [@​giorio94](https://togithub.com/giorio94)) - ipsec: Clean up stale XFRM policies and states (Backport PR [#​24821](https://togithub.com/cilium/cilium/issues/24821), Upstream PR [#​24773](https://togithub.com/cilium/cilium/issues/24773), [@​pchaigno](https://togithub.com/pchaigno)) - Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24646](https://togithub.com/cilium/cilium/issues/24646), [@​MrFreezeex](https://togithub.com/MrFreezeex)) - Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24174](https://togithub.com/cilium/cilium/issues/24174), [@​aojea](https://togithub.com/aojea)) - Set user-agent for k8s client with Cilium's version (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24275](https://togithub.com/cilium/cilium/issues/24275), [@​aanm](https://togithub.com/aanm)) - Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is `probe=l7-proxy msg="No response from probe within 15 seconds"` (Backport PR [#​24814](https://togithub.com/cilium/cilium/issues/24814), Upstream PR [#​24672](https://togithub.com/cilium/cilium/issues/24672), [@​bimmlerd](https://togithub.com/bimmlerd)) **CI Changes:** - bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR [#​24607](https://togithub.com/cilium/cilium/issues/24607), Upstream PR [#​24469](https://togithub.com/cilium/cilium/issues/24469), [@​brb](https://togithub.com/brb)) - bpf/tests: fix mac addresses definitions in egressgw test (Backport PR [#​24607](https://togithub.com/cilium/cilium/issues/24607), Upstream PR [#​23351](https://togithub.com/cilium/cilium/issues/23351), [@​jibi](https://togithub.com/jibi)) - datapath/linux/route: fix CI expectations for rule string format (Backport PR [#​24607](https://togithub.com/cilium/cilium/issues/24607), Upstream PR [#​24577](https://togithub.com/cilium/cilium/issues/24577), [@​NikAleksandrov](https://togithub.com/NikAleksandrov)) - Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24484](https://togithub.com/cilium/cilium/issues/24484), [@​jschwinger233](https://togithub.com/jschwinger233)) - Fixed flake in the `TestRequestIPWithMismatchedLabel` LB-IPAM tests. (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​23297](https://togithub.com/cilium/cilium/issues/23297), [@​dylandreimerink](https://togithub.com/dylandreimerink)) - gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR [#​24441](https://togithub.com/cilium/cilium/issues/24441), Upstream PR [#​24025](https://togithub.com/cilium/cilium/issues/24025), [@​sayboras](https://togithub.com/sayboras)) - Increase timeout waiting for resources in Ingress conformance test (Backport PR [#​24441](https://togithub.com/cilium/cilium/issues/24441), Upstream PR [#​24388](https://togithub.com/cilium/cilium/issues/24388), [@​meyskens](https://togithub.com/meyskens)) - Port verifier tests to Go (Backport PR [#​24706](https://togithub.com/cilium/cilium/issues/24706), Upstream PR [#​24538](https://togithub.com/cilium/cilium/issues/24538), [@​ti-mo](https://togithub.com/ti-mo)) - renovate: Fix Hubble release digest regex (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24477](https://togithub.com/cilium/cilium/issues/24477), [@​gandro](https://togithub.com/gandro)) - test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24144](https://togithub.com/cilium/cilium/issues/24144), [@​joestringer](https://togithub.com/joestringer)) - test: Remove some {DP,Services} Ginkgo test cases (Backport PR [#​24547](https://togithub.com/cilium/cilium/issues/24547), Upstream PR [#​24223](https://togithub.com/cilium/cilium/issues/24223), [@​brb](https://togithub.com/brb)) - test: Update 1.26 k8s version (Backport PR [#​24607](https://togithub.com/cilium/cilium/issues/24607), Upstream PR [#​24569](https://togithub.com/cilium/cilium/issues/24569), [@​sayboras](https://togithub.com/sayboras)) - tests: add exceptions for lease errors due to etcd (Backport PR [#​24758](https://togithub.com/cilium/cilium/i

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.