1.14.0-snapshot.0

@brb

Summary of Changes

Major Changes:

Add WireGuard host2host and LB encryption (#19401, @brb)
policy: Promote Deny Policies from Beta to Stable (#22966, @nathanjsweet)

Minor Changes:

Add CLI command to dump cgroups metadata (#23641, @alexkats)
Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
Add pod-name hubble metrics context for pod name label without namespace (#23199, @chancez)
Add support for the ingressclass.kubernetes.io/is-default-class annotation on Cilium's IngressClass (#23719, @meyskens)
alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
egressgw: add support for excludedCIDRs (#23448, @jibi)
Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
helm: Add pod and container security context (#23443, @sayboras)
helm: Add SA automount configuration (#23441, @sayboras)
helm: Add support of annotations in hubble ui service (#23709, @brnck)
helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
ingress: Add loadBalancerIP and loadBalancerClass (#22670, @oliver-ni)
install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
operator: proper rolling update (#23589, @mhofstetter)
option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)

Bugfixes:

bpf: Fix broken remote-node identity classification (#23091, @ysksuzuki)
clustermesh: fix cluster synchronization wait group increment (#23741, @giorio94)
clustermesh: fix services cache bloat due to incorrect deletion (#23947, @giorio94)
datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
egressgw: update all internal caches once k8s state is synced (#24034, @jibi)
Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (#23825, @ldelossa)
Fix memory leak caused on clustermesh reconnect. (#23785, @oblazek)
Fix operator crash race condition for CES identity map concurrent read/write (#23605, @dlapcevic)
Fix restoreServicesLocked() potential nil pointer panic (#23446, @dlapcevic)
fix(helm): add missing updateStrategy to hubble-ui deployment (#23975, @mhulscher)
Fixes a bug where the Helm value cni.configMap no longer worked. (#23743, @squeed)
Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (#23532, @squeed)
gateway-api: Combine metrics registry with operator (#23501, @sayboras)
Hubble Relay: fix reported uptime (#23966, @rolinh)
ipam/crd: Fix panic due to concurrent map read and map write (#23713, @gandro)
kvstore: prevent deletion delay for node-unrelated events (#23745, @giorio94)
Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (#22918, @vipul-21)
Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
Revert "datapath: Remove 2005 route table" (#23346, @brb)
Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
watchers: endpointsync can manage already owned CiliumEndpoints. (#23499, @tommyp1ckles)

CI Changes:

.github: Clean up RBAC artifacts for v1.13 CI (#22823, @joestringer)
.github: Pin docker buildx version to v0.9.1 (#23206, @joestringer)
[UT]improve network_policy_test.go for apiversion (#22591, @my-git9)
Add initial fuzz coverage of linux node handler. (#22577, @AdamKorcz)
bpf/test: Get rid of 4.9 leftovers (#23399, @brb)
bpf/tests: fix mac addresses definitions in egressgw test (#23351, @jibi)
build: Generate SBOM during image release (#23221, @joestringer)
ci/multicluster: Re-enable WireGuard testing (#22815, @gandro)
ci: Disable WireGuard in ci-multicluster again (#23045, @gandro)
ci: remove GKE from Jenkins jobs (#23826, @nbusseneau)
ci: remove test namespace deletion workaround in GKE v1.12 workflow (#22655, @tklauser)
ci: replace deprecated set-output command in integraton test workflow (#23633, @tklauser)
CI: switch to registry.k8s.io (#23821, @ameukam)
ci: update cilium-cli to v0.12.12 (#23030, @tklauser)
Disable failing encryption connectivity tests on GKE (#23183, @brlbil)
Fix k8s podCIDRs for vagrant deployment (#22786, @romanspb80)
Fix potential panic logic for checker.go (#22354, @yanggangtony)
gh/workflow: Remove specific GKE 1.24.5 version (#23164, @brlbil)
gh/workflows: Fix encryption installation in ci-datapath (#23325, @brb)
gha: Bump timeout to 90 minutes for build commit. (#23996, @sayboras)
gha: Run integration tests in GHA (#22900, @sayboras)
kludge: hardcode Google Cloud SDK key due to error 500 (#24045, @nbusseneau)
lint: enable gosec G402 (minimum TLS version) (#23247, @kaworu)
mlh: update Jenkins jobs following removal of kernel 4.9 support (#23822, @nbusseneau)
Move datapath verifier tests into GH actions workflow (#22754, @tklauser)
pin managed clusters' K8s version on stable branches (#22724, @nbusseneau)
pkg/k8s: Clean-up: Remove duplicate package import in pkg/k8s/factory_functions_test.go (#23433, @my-git9)
policy: add two more fuzzers (#22336, @AdamKorcz)
Quarantine "K8sDatapathConfig Iptables Skip conntrack for pod traffic test. (#23824, @marseel)
resource: Work around a rare race in initial sync (#23292, @joamaki)
Revert "build: Generate SBOM during image release" (#23204, @ldelossa)
Revert "Use workflow configuration variables for quay organization na… (#23169, @michi-covalent)
test, jenkinsfile: Clean up natnetworks in CI after test run (#22704, @pchaigno)
test/Vagrantfile: Debug information for natnetwork (#22675, @pchaigno)
test/Vagrantfile: Don't hide natnetwork errors (#22702, @pchaigno)
test: add comments for NFS's IP ranges on local CI VM scripts (#22934, @Shunpoco)
test: Bump timeout of service plumbing check (#23439, @pchaigno)
test: Dump VirtualBox version used in CI jobs (#22701, @pchaigno)
test: Enable Envoy trace logs for TLS test (#22646, @jrajahalme)
test: ensure cleanup in hubble "test L7 flow" (#23525, @giorio94)
test: Exclude per-endpoint object files from artifacts (#23382, @pchaigno)
test: Get rid of 4.9 pipeline (#23343, @brb)
test: Remove unused SkipGKEQuarantined helper (#23354, @pchaigno)
test: Unquarantine K8sDatapathConfig Encapsulation (#22674, @pchaigno)
test: Unquarantine tests for iptables-based masquerading (#23228, @pchaigno)
test: Unquarantine working FQDN test (#23357, @pchaigno)
test: Update policy for hairpin flow validation (#23480, @aditighag)
Update image registry to quay.io (#23093, @obaranov1)
Use workflow configuration variables for quay organization names (#23145, @michi-covalent)
vagrant: bump box versions to pick up Go 1.20.1 (#23983, @tklauser)
vagrant: Bump VM images to the latest versions (#22781, @pchaigno)
workflow: Cover VXLAN + IPsec + endpoint routes in datapath tests (#23396, @pchaigno)
workflow: Disable monitor aggregation in IPv6 smoke test (#23816, @pchaigno)
workflow: enable pod-to-world tests (#23103, @brlbil)
workflow: Reenable L7 tests on EKS + IPsec (#22617, @pchaigno)
workflows: add trigger sentence in ci-verifier workflow file (#23587, @kaworu)
workflows: Pin gke to 1.24.5 (#22798, @joamaki)

Misc Changes:

.gitattributes: Highlight Jenkinsfiles as Groovy (#23435, @pchaigno)
.gitattributes: Mark install/kubernetes/cilium/values.yaml as generated (#24007, @qmonnet)
.github: fix renovate docker image update (#23229, @aanm)
.github: fix renovate's config file (#23231, @aanm)
@errordeveloper is no longer an active committer (#23293, @errordeveloper)
[cilium cmd] fix wrong notes. (#22871, @yanggangtony)
[cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. (#22873, @yanggangtony)
[UT] k8s/utils/util.go ut enhancement (#23680, @my-git9)
add CNCF Resources and Link CoC to Governance docs (#23689, @xmulligan)
add Cosmonic to the Users file (#23290, @xmulligan)
Add fuzzer for pkg/fqdn (#22519, @AdamKorcz)
Add information about securing access to Cilium pods and provide a single page security reference (#23599, @zacharysarah)
Add leader requirement to watch from Etcd. (#23590, @marseel)
add renovate support for go mod (#23864, @aanm)
Add Robinhood Markets to Cilium USERS.md (#24026, @madhusudancs)
Add S&P Global to Users (#23700, @xmulligan)
add toEntities/fromEntities CRD description missing options (#22279, @slayer321)
add versioning schema for WireGuard in Renovate (#24015, @aanm)
Added link to CFP Design repo (#23792, @xmulligan)
Adding eni limits for missing aws instances of families c7g, m6idn, m6in, m7g, r6idn, r6in, and r7g` (#23835, @muratso)
agent: dump stack on stale probes (#23915, @squeed)
Alibabacloud API request performance improvements (#22478, @jaffcheng)
auth: introduce hive cell (modularization) (#24041, @mhofstetter)
bpf & envoy: Add support for authentication on ingress policies (#23839, @mhofstetter)
bpf: Consistent usage of MARK_MAGIC_ constants (#23125, @pchaigno)
bpf: encap: endianness cleanups (#23931, @julianwiedmann)
bpf: Fix usage of tunnel map structs (#23469, @pchaigno)
bpf: handle VLAN before XDP meta-data in from-netdev (#24063, @julianwiedmann)
bpf: Introduce per-cluster conntrack maps (#22857, @YutaroHayakawa)
bpf: L3 cleanups (#23876, @julianwiedmann)
bpf: lb: introduce an optimized CT lookup (#22936, @julianwiedmann)
bpf: minor CT cleanups (#23718, @julianwiedmann)
bpf: minor improvements to XDP punt with XFER_PKT_NO_SVC (#23106, @julianwiedmann)
bpf: nodeport: minor DSR improvements (#23326, @julianwiedmann)
bpf: Remove dead code for consistency between IPv4/v6 (#24008, @pchaigno)
bpf: Remove flowlabel optimization for identity (#23795, @pchaigno)
bpf: remove redundant policy_mark_skip() in handle_ipv6_from_lxc() (#23447, @julianwiedmann)
bpf: Remove unneeded orig_dip from ipv6_host_policy_egress (#23724, @gentoo-root)
bpf: Remove unneeded orig_sip from ipv6_host_policy_ingress (#23577, @gentoo-root)
bpf_test: use bpf.LoadCollection, print full verifier error logs (#23281, @ti-mo)
Build test darwin target (#23358, @aditighag)
build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22981, @dependabot[bot])
build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23450, @dependabot[bot])
build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22956, @dependabot[bot])
build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23411, @dependabot[bot])
build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22706, @dependabot[bot])
build(deps): bump actions/stale from 6.0.1 to 7.0.0 (#22828, @dependabot[bot])
build(deps): bump azure/setup-helm from 3.4 to 3.5 (#22705, @dependabot[bot])
build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23112, @dependabot[bot])
build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23489, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23449, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23593, @dependabot[bot])
build(deps): bump github.com/cilium/lumberjack/v2 from 2.2.2 to 2.3.0 (#22448, @dependabot[bot])
build(deps): bump github.com/containernetworking/plugins from 1.1.1 to 1.2.0 (#23294, @dependabot[bot])
build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.23+incompatible (#23388, @dependabot[bot])
build(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible (#23664, @dependabot[bot])
build(deps): bump github.com/go-openapi/spec from 0.20.7 to 0.20.8 (#23673, @dependabot[bot])
build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.26.0 (#23295, @dependabot[bot])
build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.10.0 (#22908, @dependabot[bot])
build(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 (#23069, @dependabot[bot])
build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.23.1 (#23511, @dependabot[bot])
build(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#23414, @dependabot[bot])
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22758, @dependabot[bot])
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23410, @dependabot[bot])
build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23608, @dependabot[bot])
build(deps): bump github/codeql-action from 959cbb7472c4d4ad70cdfe6f4976053fe48ab394 to 2.1.39 (#23196, @dependabot[bot])
build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.6 to 3.5.7 (#23571, @dependabot[bot])
build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.6 to 3.5.7 (#23649, @dependabot[bot])
build(deps): bump go.opentelemetry.io/otel/trace from 1.11.2 to 1.12.0 (#23454, @dependabot[bot])
build(deps): bump go.uber.org/dig from 1.15.0 to 1.16.0 (#23039, @dependabot[bot])
build(deps): bump go.uber.org/dig from 1.16.0 to 1.16.1 (#23188, @dependabot[bot])
build(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#23067, @dependabot[bot])
build(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#22941, @dependabot[bot])
build(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#23651, @dependabot[bot])
build(deps): bump golang.org/x/tools from 0.4.0 to 0.5.0 (#23610, @dependabot[bot])
build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23249, @dependabot[bot])
build(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 (#23570, @dependabot[bot])
build(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.3 (#23390, @dependabot[bot])
build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22707, @dependabot[bot])
build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23386, @dependabot[bot])
build(deps): bump nick-invision/retry from 2.8.2 to 2.8.3 (#22895, @dependabot[bot])
build: custom-vet-check should respect make variable GO (#23668, @mhofstetter)
Bump readme with 1.13.0 (#23786, @aanm)
Bumped CoverBee to v0.3.0 and cilium/ebpf to v0.10.0 (#23212, @dylandreimerink)
certificatemanager,daemon: Modularized the certificate manager (#23132, @dylandreimerink)
chore(deps): update actions/checkout action to v3.3.0 (master) (#23674, @renovate[bot])
chore(deps): update all github action dependencies (master) (minor) (#24006, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#23671, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#23918, @renovate[bot])
chore(deps): update base-images (master) (#22565, @renovate[bot])
chore(deps): update base-images (master) (minor) (#23563, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.1 (master) (#23518, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.2 (master) (#23773, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.17.1 (master) (#22996, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.17.2 (master) (#23672, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23753, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23754, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.20.1 (master) (#23562, @renovate[bot])
chore(deps): update docker.io/library/golang:1.19.5 docker digest to 572f680 (master) (#23575, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f05532b (master) (#23477, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 21e5d22 (master) (#23726, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 26d07ba (master) (#23352, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 42ddd0c (master) (#23602, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 48e033b (master) (#23654, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6b01107 (master) (#23498, @renovate[bot])
chore(deps): update github/codeql-action action to v2.2.5 (master) (#24023, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.1 (master) (#23519, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (master) (#23774, @renovate[bot])
chore: Fix typos in comments (#22837, @mainred)
chore: use errors.Is to check for a specific error (#22912, @Fish-pro)
ci, l4lb: Remove leftover args after DinD conversion (#23257, @borkmann)
ci: update cilium-cli using renovate bot (#23902, @tklauser)
cilium-cni: remove duplicated link set up operation (#23766, @giorio94)
Cleanup: improve metav1 package import statement (#23248, @my-git9)
cli: Remove unnecessary type for variable vp (Viper) (#23105, @tanberBro)
clustermesh/types: don't panic on invalid IP in PrefixClusterFromCIDR (#23137, @tklauser)
clustermesh: Introduce per-cluster NAT maps (#22875, @YutaroHayakawa)
clustermesh: Make IPCache CPlane aware of the ClusterID (#22935, @YutaroHayakawa)
cmd/policy: Close file descriptor if required (#23945, @jiuker)
CODEOWNERS: Add ownerships of new BGP team (#23916, @pchaigno)
CODEOWNERS: additional coverage (#23494, @tklauser)
CODEOWNERS: assign /pkg/auth to sig-servicemesh (#23844, @mhofstetter)
CODEOWNERS: assign images/hubble-relay to SIG Hubble (#23277, @rolinh)
CODEOWNERS: assign operator/pkg/{gateway-api,model} to @cilium/sig-servicemesh (#22683, @tklauser)
CODEOWNERS: Cover test/bpf_tests by sig-datapath (#22928, @christarazi)
CODEOWNERS: Cover the egress gateway guide (#23194, @pchaigno)
CODEOWNERS: Fold cilium/health into cilium/sig-agent (#23952, @pchaigno)
CODEOWNERS: Make Hubble team (not docs-structure) own examples/hubble (#23778, @qmonnet)
contrib/kind: default to dual-stack clusters (#23646, @squeed)
contrib: Add devcontainer configuration (#22856, @sayboras)
contrib: Fix GitHub token check to allow fine-grained tokens (#22963, @gentoo-root)
contrib: output easier way to install Cilium in kind. (#23488, @squeed)
contrib: Set IPv6 for dual-stack Kubenetes nodeIP on dev VM (#23543, @jschwinger233)
daemon, ipcache: Plumb root context to IP identity watcher (#22626, @christarazi)
daemon: Clarify host IP sync controller's intent (#21743, @christarazi)
dev: disable bpf monitor aggregation in kind helm values (#23846, @mhofstetter)
dnsproxy: Improve regex used for matching dns queries by reducing its complexity and size to save memory and speed up matching (#20246, @odinuge)
Do not upgrade to golang 1.20 in 1.13 branch (#23723, @aanm)
docs(bpf): update unprivileged_bpf_disabled description (#23378, @spacewander)
docs: add FOSSA badge to readme (#22737, @lizrice)
docs: Add notes for dev setup for Ubuntu desktop (#23691, @jschwinger233)
docs: Add requirements for installing Cilium on Raspberry Pi (#23337, @darox)
docs: add trace observation point description (#23028, @mainred)
docs: Clarify basic kernel requirement (#23951, @pchaigno)
docs: Clarify committer vote procedures (#22787, @joestringer)
docs: Document the hooks that Cilium uses (#22792, @joestringer)
docs: Fix a typo in Istio integration documentation (#23584, @yanggangtony)
docs: Fix a typo in K8s with Kubespray installation guide (#23585, @yanggangtony)
docs: Fix the dead link to Mellanox performance tuning guide (#24012, @gentoo-root)
docs: Make CRD compat script work on older trees (#23710, @joestringer)
docs: modify PRELOAD_VM for local CI VM (#22902, @Shunpoco)
docs: Policy Audit Mode improvements (#23591, @kaworu)
docs: Promote Deny Policies out of Beta (#23921, @nathanjsweet)
docs: Regenerate codeowners documentation (#23979, @pchaigno)
docs: replace usage of api.twitter.com (#23669, @kaworu)
docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (#24014, @qmonnet)
docs: Update Documentation on Deny Policy Bug Fix (#23468, @nathanjsweet)
docs: Update hostfw tuto with ICMP policy rule (#22999, @pchaigno)
docs: Update KPR limitations wrt IPsec (#22775, @raymonddejong)
docs: Update output for "cilium status" when troubleshooting (extensions/v1beta1::Ingress now deprecated in favor of networking.k8s.io/v1beta1::Ingress) (#22968, @yulng)
Document contributor steps to update the Helm chart (#23739, @meyskens)
Document exemplars option for hubble httpV2 metrics (#23620, @chancez)
Document that the install-egress-gateway-routes flag is only for EKS's ENI mode in egress gateway guide (#23616, @deepeshaburse)
Documentation: Add documentation for hive (#23746, @joamaki)
Documentation: enable parallel builds (#23752, @squeed)
drop v1.10 support (#23903, @aanm)
e2e-tests: git-ignore directory old-charts (#23705, @mhofstetter)
egressgw: add policies by source IP cache (#23967, @jibi)
egressgw: optimize policy matching logic (#24042, @jibi)
EndpointManager and NodeManager Cells (#21746, @joamaki)
endpointmgr: guard against potential nil deref (#22521, @ldelossa)
etcd: print debug message event value as string (#23714, @giorio94)
Extend ipcache key with ClusterID (#22200, @YutaroHayakawa)
Extend tunnel map key with ClusterID (#22687, @YutaroHayakawa)
Fix 404s in the README.md (#23954, @aanm)
Fix TLS policies after certificatemanager modularization (#23895, @tklauser)
fix: clean golang code for golint (#22665, @yulng)
fix:'go routine' should be 'goroutine' (#22904, @yulng)
fix:prevent goroutine leakage for pkg/k8s/watchers (#22362, @yulng)
fix:Use ID instead of Id (#22569, @yulng)
Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (#22980, @dylandreimerink)
Fixed broken/deprecated links (#23920, @PhilipSchmid)
Fixed link to broken anchor in RKE doc (#23706, @raphink)
Fixes a flake in the kubectl wait part of the CI (#23733, @meyskens)
fix：make fsnotify event more readable (#22903, @yulng)
gha: Replace deprecated set-output commands (#22890, @sayboras)
go.mod, vendor: bump sigs.k8s.io/controller-runtime to v0.14.1 (#23011, @tklauser)
helm: Allow adding annotations to certgen Job and CronJob (#22356, @eripa)
hive: Add hive.Command() (#23074, @joamaki)
hive: Don't log interrupt signal as error (#23880, @joamaki)
hubble-relay: set WORKDIR to nonroot home (#23405, @kaworu)
hubble: add a unique identifier to flows (#23638, @kaworu)
hubble: fix Hubble Relay BASE_IMAGE (#23636, @kaworu)
identity, policy: remove unused arguments from interfaces (#23946, @lmb)
images: update cilium-{runtime,builder} (#23146, @joestringer)
images: update golang images to 1.19.5 (#23157, @aanm)
images: update gops using renovate bot (#23907, @tklauser)
improve inclusive language in governance (#23109, @xmulligan)
Improve logging statements in CES usage and reduce code reuse (#22428, @yanggangtony)
init.sh: clean up cgroup bpf_links created by newer versions of Cilium (#23537, @ti-mo)
internal-feature: We removed all instances of io.ReadAll to reduce the attack surface of possible DoS attacks. (#22602, @nathanjsweet)
introduces dedicated inline functions for per-packet-lb service translation on pod egress (#23715, @ldelossa)
ipam: clean up terminology around excluded IPs (#23942, @tklauser)
ipam: various minor cleanups (#23383, @tklauser)
ipcache: Add ability to override identity via UpsertMetadata (#21667, @gandro)
ipcache: Fix wrong assertion in ipcache metadata test (#23549, @christarazi)
IPsec: Remove IP_POOLS logic (#24030, @pchaigno)
k8s/watchers: Fix race condition in init functions (#23170, @christarazi)
k8s: use core/v1 consts for topology-aware hints annotation/label (#23538, @tklauser)
kafka, go.mod, vendor: use github.com/cilium/kafka fork (#22689, @tklauser)
kvstore: add clusterName suffix to session controllers (#23928, @oblazek)
kvstore: Propagate ClusterID with Service (#23514, @YutaroHayakawa)
labels, ipcache: Introduce convenience NewFrom() (#23218, @christarazi)
MAINTAINERS.md: add Casey Callendrello to the list of maintainers (#23344, @tklauser)
MAINTAINERS.md: add Julian Wiedmann (#23278, @tklauser)
MAINTAINERS: Add missing link to GitHub account (#23050, @christarazi)
MAINTAINERS: Move @twpayne to emeritus status (#23688, @twpayne)
MAINTAINERS: updates company affiliations for Michal and Tom (#23138, @tklauser)
Make api/v1/model/BackendAddressState const string , not manual define. (#22874, @yanggangtony)
Make log statements easier to read (#22971, @yulng)
Mark tests as successful if they are not supposed to run (#23847, @aanm)
Minor improvements to DNS proxy around notifyOnDNSMsg() (#22341, @christarazi)
Move @lzang to emeritus committer (#23373, @xmulligan)
Moved @raybejjani to Emeritus Committers (#23323, @raybejjani)
operator: Clarify log msg for unmanaged pods (#23855, @christarazi)
operator: cleanup CRD registration (#23701, @mhofstetter)
operator: Fix use of Resource.Events() in CEC controller (#22844, @joamaki)
Optimize getting identity by key with CRD Backend by introducing indexer. (#23064, @alan-kut)
Optimize the comparison mode of bool judgment (#22922, @Fish-pro)
pkg/endpoint: Use structured logging for error condition (#22846, @christarazi)
pkg/ip: Remove redundant type conversions (#23108, @tanberBro)
pkg/k8s: Replace label failure-domain.beta.kunerbetes.io deprecated in K8s 1.17 (with topology.kubernetes.io) (#23177, @my-git9)
pkg/policy: Add benchmark for ForEachGo (#22845, @christarazi)
policy: mapstate should respect authType in dataPath equality (#23780, @mhofstetter)
Prepare for v1.14 development cycle (#22614, @joestringer)
proxylib: Downgrade noisy log msg to debug level (#22848, @christarazi)
README.rst, MLH: Update stable releases, following the latest round of patch releases. (#23421, @qmonnet)
Refactor k8s identities GC into a cell.Module (#22892, @pippolo84)
Refactor node annotations (#23772, @marseel)
Remove / in RKE doc link as it causes redirect bug (#23728, @raphink)
Remove dependency on $GOPATH for make generate-k8s-api (#23428, @ldelossa)
remove export from shell session to avoid the inconsistency (#22932, @fujitatomoya)
Remove relevant metrics series on pod deletion (#23162). (#23385, @marqc)
renovate/images: Revert accidental commits (#23497, @gandro)
renovate: add support for GH workflow updates (#23625, @aanm)
renovate: allow golang 1.20 in "v1.13" and "master" branch (#23547, @aanm)
renovate: ignore cilium-test Dockerfile (#23560, @aanm)
Resource API refactoring and shared resources (#21744, @joamaki)
Revert "kludge: hardcode Google Cloud SDK key due to error 500" (#24060, @sayboras)
Run Hubble Relay as non-root user by default. (#23259, @rolinh)
Slightly improve UX around passing --metrics (#22888, @christarazi)
sort identities by id/name to avoid random results (#23329, @nickolaev)
stateId: delete redundant type conversion (#23056, @XiaozhiD-web)
test/runtime: Set NO_COLOR for privileged tests (#23151, @joestringer)
test: Update NetworkPolicy to networking.k8s.io/v1 (#22907, @yulng)
Update CFP issue template to link repo (#23841, @xmulligan)
Update CNI to 1.2.0 (#23267, @michi-covalent)
Update Go to 1.20.1 (#23896, @tklauser)
update k8s control plane tests (#23813, @aanm)
Update MAINTAINERS.md to include Tom Hadlaw (#22769, @christarazi)
Update signature verification docs for Sigstore 2.0 (#24029, @jedsalazar)
Update stable releases (#22820, @joestringer)
Update stable releases (#23742, @joestringer)
Use &netlink.LinkNotFoundError{} to determine link not found error (#22438, @tanberBro)
use DescribeVSwitches to get vswitch tags (#23635, @haozhangami)
vendor: bump golang-lru to v2 (requires Go >= 1.18 support for generics) (#22644, @rolinh)
vendor: update wireguard dependency (#23849, @aanm)
workflow: fixes LLVM, Clang cache and install path (#23740, @brlbil)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-snapshot.0@sha256:e3026b6482f4dff7fbcc8b06e37b712728a31ad4c294581ddf5475dbcf3b7a80
quay.io/cilium/cilium:v1.14.0-snapshot.0@sha256:e3026b6482f4dff7fbcc8b06e37b712728a31ad4c294581ddf5475dbcf3b7a80

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.0@sha256:f8f319ff0b43023f863702c8be8eb2305d52a4a0a60ced347622069bc13fb651
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.0@sha256:f8f319ff0b43023f863702c8be8eb2305d52a4a0a60ced347622069bc13fb651

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-snapshot.0@sha256:5667cdc4205b5efc5970d7a3bae0870b53d5a82df5d8df987c1c2f9edb7313b4
quay.io/cilium/docker-plugin:v1.14.0-snapshot.0@sha256:5667cdc4205b5efc5970d7a3bae0870b53d5a82df5d8df987c1c2f9edb7313b4

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-snapshot.0@sha256:dbd1e4361c272c8b45f48ae3bed54966e9e3601bf43f59ffa3b1066520cc1bd5
quay.io/cilium/hubble-relay:v1.14.0-snapshot.0@sha256:dbd1e4361c272c8b45f48ae3bed54966e9e3601bf43f59ffa3b1066520cc1bd5

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.0@sha256:fd0ef1f31cb9d99dff87ac55910ec0d45caf1ee482fa8e01878b33f1487fafd0
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.0@sha256:fd0ef1f31cb9d99dff87ac55910ec0d45caf1ee482fa8e01878b33f1487fafd0

operator-aws

docker.io/cilium/operator-aws:v1.14.0-snapshot.0@sha256:b570d54162121f0e7c9518376d69d24d59d565bd636ef9708110611473ff491e
quay.io/cilium/operator-aws:v1.14.0-snapshot.0@sha256:b570d54162121f0e7c9518376d69d24d59d565bd636ef9708110611473ff491e

operator-azure

docker.io/cilium/operator-azure:v1.14.0-snapshot.0@sha256:3e83b89b7ac8c675f2e0de8f6e8120b254bdb5b9066033c110c0cbcab5bb23b8
quay.io/cilium/operator-azure:v1.14.0-snapshot.0@sha256:3e83b89b7ac8c675f2e0de8f6e8120b254bdb5b9066033c110c0cbcab5bb23b8

operator-generic

docker.io/cilium/operator-generic:v1.14.0-snapshot.0@sha256:78af387bac5aaa603f88f69ce773b325cd359f8ecd9b540962d86a55be1824bf
quay.io/cilium/operator-generic:v1.14.0-snapshot.0@sha256:78af387bac5aaa603f88f69ce773b325cd359f8ecd9b540962d86a55be1824bf

operator

docker.io/cilium/operator:v1.14.0-snapshot.0@sha256:6574cf455cb09f8fd19f4cd08e1995afddcaf36c03727b07c1c0562a2f1e9381
quay.io/cilium/operator:v1.14.0-snapshot.0@sha256:6574cf455cb09f8fd19f4cd08e1995afddcaf36c03727b07c1c0562a2f1e9381

Provide feedback

Saved searches

Use saved searches to filter your results more quickly