chore(deps): update dependency cilium/cilium to v1.13.16 - autoclosed

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium/cilium	patch	1.13.10 -> 1.13.16

---

Release Notes

cilium/cilium (cilium/cilium)

v1.13.16: 1.13.16

Compare Source

We are pleased to release Cilium v1.13.16.

This release comes with hubble metrics in bugtool, fix for DNS message timeout in proxy, patched memory leak and many more!

Security Advisories

This release addresses following security vulnerabilities:

• GHSA-3mh5-6q8v-25wj
• GHSA-5fq7-4mxc-535h

Summary of Changes

Minor Changes:

• bugtool: Collect hubble metrics (Backport PR #​31887, Upstream PR #​31533, @​chancez)
• envoy: Bump go version to 1.21.10 (#​32415, @​sayboras)
• Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #​31887, Upstream PR #​29581, @​xyz-li)

Bugfixes:

• Agent: add kubeconfigPath to initContainers (Backport PR #​32252, Upstream PR #​32008, @​darox)
• cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #​32420, Upstream PR #​32128, @​gandro)
• cni: Allow text-ts log format value (Backport PR #​31887, Upstream PR #​31686, @​sayboras)
• cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #​32386, Upstream PR #​32244, @​learnitall)
• dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #​32252, Upstream PR #​31999, @​gandro)
• Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #​32330, Upstream PR #​32270, @​jrajahalme)
• Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #​32386, Upstream PR #​30548, @​squeed)
• fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #​32053, Upstream PR #​31959, @​marseel)
• ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #​32252, Upstream PR #​32099, @​jasonaliyetti)
• xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #​32053, Upstream PR #​31061, @​sayboras)

CI Changes:

• [v1.13] Go linter fix backport (#​31983, @​tklauser)
• ci: Filter supported versions of AKS (Backport PR #​32386, Upstream PR #​32303, @​marseel)
• ci: Increase timeout for images for l4lb test (Backport PR #​32252, Upstream PR #​32201, @​marseel)
• Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #​32053, Upstream PR #​31958, @​giorio94)
• test: De-flake xds server_e2e_test (Backport PR #​32053, Upstream PR #​32004, @​jrajahalme)
• vagrant: bump box versions to pick up Go 1.20.1 (Backport PR #​31796, Upstream PR #​23983, @​tklauser)
• workflows: Fix CI jobs for push events on private forks (Backport PR #​32252, Upstream PR #​32085, @​pchaigno)

Misc Changes:

• [v.13] test: Fix Endpoint Test (#​32197, @​nathanjsweet)
• [v1.13] endpoint: Fix Endpoint Integration Tests (#​32171, @​nathanjsweet)
• build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #​32252, Upstream PR #​32176, @​dependabot[bot])
• chore(deps): update all github action dependencies (v1.13) (#​32380, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.13.3 (v1.13) (#​32446, @​renovate[bot])
• chore(deps): update go to v1.21.10 (v1.13) (#​32374, @​renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.13.3 (v1.13) (#​32379, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​31831, @​renovate[bot])
• cilium-dbg: avoid leaking file resources (Backport PR #​31887, Upstream PR #​31750, @​tklauser)
• command/exec: remove unused (*Cmd).WithFilters method (Backport PR #​31887, Upstream PR #​25642, @​tklauser)
• docs: Fix prometheus port regex (Backport PR #​32252, Upstream PR #​32030, @​JBodkin-Amphora)
• Docs: mark Tetragon as Stable (Backport PR #​32053, Upstream PR #​31886, @​sharlns)
• endpoint: Skip build queue warning log is context is canceled (Backport PR #​32252, Upstream PR #​32132, @​jrajahalme)
• Fix spelling in DNS-based proxy info (Backport PR #​31887, Upstream PR #​31728, @​saintdle)
• fqdn: Change error log to warning (Backport PR #​32386, Upstream PR #​32333, @​jrajahalme)
• fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #​32386, Upstream PR #​32325, @​nathanjsweet)
• golangci: Enable errorlint (Backport PR #​31796, Upstream PR #​31458, @​jrajahalme)
• Improve release organization page (Backport PR #​32053, Upstream PR #​31970, @​joestringer)
• install/kubernetes: update nodeinit image to latest version (Backport PR #​32252, Upstream PR #​32181, @​tklauser)
• ipsec: Debug info for transient IPsec upgrade drops (Backport PR #​32386, Upstream PR #​32240, @​pchaigno)
• Move governance docs to the Cilium community repo (Backport PR #​31887, Upstream PR #​31692, @​katiestruthers)
• Remove aks-preview from AKS workflows (Backport PR #​32252, Upstream PR #​32118, @​marseel)
• Remove Hubble-OTel from the roadmap (Backport PR #​31887, Upstream PR #​31847, @​xmulligan)

Other Changes:

• [v1.13-backport] Introduce fromEgressProxyRule (#​31928, @​jschwinger233)
• ci: no longer suppported v1.25 in GKE (#​32182, @​marseel)
• envoy: Bump envoy version to v1.27.5 (#​32079, @​sayboras)
• fix k8s versions tested in CI (#​31968, @​nbusseneau)
• install: Update image digests for v1.13.15 (#​31913, @​asauber)

v1.13.15: 1.13.15

Compare Source

We are pleased to announce the release of Cilium v1.13.15.

This release includes a fix to the retry logic in the cilium health controllers, a fix to a race condition when updating L7 LB Services, and a fix for Node ID assignment in BPF maps for very large clusters. In addition, there were a variety of testing enhancements and documentation updates.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

• [v1.13] Bump envoy to v1.27.x (#​31498, @​sayboras)

Bugfixes:

• cilium-health: Fix broken retry loop in cilium-health-ep controller (Backport PR #​31722, Upstream PR #​31622, @​gandro)
• Fixed a race condition in service updates for L7 LB. (Backport PR #​31862, Upstream PR #​31744, @​jrajahalme)
• Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
  Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
  Otherwise, it was merely generating unnecessary error log messages. (Backport PR #​31657, Upstream PR #​31380, @​marseel)

CI Changes:

• ci/ipsec: Print more info to debug credentials removal check failures (Backport PR #​31722, Upstream PR #​31652, @​qmonnet)
• controlplane: fix mechanism for ensuring watchers (Backport PR #​31587, Upstream PR #​31030, @​bimmlerd)
• deflake endpointmanager tests (Backport PR #​31722, Upstream PR #​31488, @​bimmlerd)
• Reduce flakiness of controlplane tests (Backport PR #​31587, Upstream PR #​30906, @​bimmlerd)
• workflows: Debug info for key rotations (Backport PR #​31722, Upstream PR #​31627, @​pchaigno)

Misc Changes:

• chore(deps): update all github action dependencies (v1.13) (#​31835, @​renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.13) (#​31709, @​renovate[bot])
• chore(deps): update go to v1.21.9 (v1.13) (#​31766, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​31710, @​renovate[bot])
• docs: Document No node ID found drops in case of remote node deletion (Backport PR #​31722, Upstream PR #​31635, @​pchaigno)
• docs: ipsec: document native-routing + Egress proxy case (Backport PR #​31722, Upstream PR #​31478, @​julianwiedmann)
• helm: update nodeinit image using renovate (Backport PR #​31722, Upstream PR #​31641, @​tklauser)
• Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR #​31722, Upstream PR #​29300, @​learnitall)
• v1.13: update cilium/certgen to v0.1.11 (#​31884, @​rolinh)

Other Changes:

• [v1.13] envoy: Bump envoy image for golang 1.21.9 (#​31772, @​sayboras)
• [v1.13] fix aws region being used twice (#​31740, @​brlbil)
• [v1.13] workflows: ipsec-e2e: clean up escaping artifacts (#​31630, @​julianwiedmann)
• Bump google.golang.org/grpc to v1.63.2 (v1.13) (#​31878, @​ferozsalam)
• CI: Remove no longer supported k8s v1.24 (#​31830, @​brlbil)
• envoy: Bump envoy version to v1.27.4 (#​31809, @​sayboras)
• fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#​31872, @​nathanjsweet)
• fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#​31713, @​nathanjsweet)
• Update image digests for v1.13.14 (#​31631, @​thorn3r)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.13.15@​sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed
quay.io/cilium/cilium:v1.13.15@​sha256:3d77d6e463ccc462c7574399fe22f6177a6e484bc5c149c76b7d597163253eed

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.13.15@​sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c
quay.io/cilium/clustermesh-apiserver:v1.13.15@​sha256:9cfdc40a689fc087d19aff4944657ca98df7795ba1836744400f6b77e59e1e5c

docker-plugin

docker.io/cilium/docker-plugin:v1.13.15@​sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75
quay.io/cilium/docker-plugin:v1.13.15@​sha256:485857b80cb4c726aba7e8c41536db97b0558f05f22dce6f97c8db2c1792cf75

hubble-relay

docker.io/cilium/hubble-relay:v1.13.15@​sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e
quay.io/cilium/hubble-relay:v1.13.15@​sha256:40135c6b0e2034c9f06abfe0c85f7f088ac6ba2c619d5354d4af6179d33b9a1e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.13.15@​sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05
quay.io/cilium/operator-alibabacloud:v1.13.15@​sha256:99c124f199f3cb48c41d43a423144bd9638d68705f347ec2326b34af50291a05

operator-aws

docker.io/cilium/operator-aws:v1.13.15@​sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a
quay.io/cilium/operator-aws:v1.13.15@​sha256:e09044b516be9ce9936253469411618d6790791dbe501829e6062244a24e815a

operator-azure

docker.io/cilium/operator-azure:v1.13.15@​sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268
quay.io/cilium/operator-azure:v1.13.15@​sha256:ea05ba909b573b4a52731aec36b91a0a582781a48c2ade7719dfbae05c21d268

operator-generic

docker.io/cilium/operator-generic:v1.13.15@​sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101
quay.io/cilium/operator-generic:v1.13.15@​sha256:21f6707e99722b41a24e9bf4e24b7e4d00597cc7dbaef6e7588dedbf3b270101

operator

docker.io/cilium/operator:v1.13.15@​sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9
quay.io/cilium/operator:v1.13.15@​sha256:971c9b6294216df668881917132a4a41fcc43fba64315e91ed632f62eab9eac9

v1.13.14: 1.13.14

Compare Source

We are pleased to release Cilium v1.13.14.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-pwqm-x5x6-5586.

Summary of Changes

Minor Changes:

• cni: use default logger with timestamps. (Backport PR #​31309, Upstream PR #​31014, @​tommyp1ckles)
• Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #​31309, Upstream PR #​31159, @​pchaigno)

Bugfixes:

• Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #​31476, Upstream PR #​31395, @​tklauser)
• Fix bug leading to missed ipcache updates for the CiliumInternalIP when --enable-remote-node-identity=false, and unnecessary ipcache_errors_total metric increase if Cilium operates in kvstore mode. (#​31396, @​giorio94)
• gateway-api: Retrieve LB service from same namespace (Backport PR #​31496, Upstream PR #​31271, @​sayboras)
• Handle InvalidParameterValue as well for PD fallback (Backport PR #​31496, Upstream PR #​31016, @​hemanthmalla)
• Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #​31496, Upstream PR #​31211, @​kaworu)
• k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #​31476, Upstream PR #​31421, @​tklauser)

CI Changes:

• AKS: avoid overlapping pod and service CIDRs (Backport PR #​31570, Upstream PR #​31504, @​bimmlerd)
• Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #​31195, Upstream PR #​30916, @​giorio94)
• Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #​31195, Upstream PR #​31198, @​giorio94)
• ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #​31496, Upstream PR #​31387, @​YutaroHayakawa)
• gha: disable fail-fast on integration tests (Backport PR #​31496, Upstream PR #​31420, @​giorio94)
• gha: drop unused check_url environment variable (Backport PR #​31195, Upstream PR #​30928, @​giorio94)
• introduce ARM github workflows (Backport PR #​31309, Upstream PR #​31196, @​aanm)
• ipam: deepcopy interface resource correctly. (Backport PR #​31496, Upstream PR #​26998, @​tommyp1ckles)
• loader: fix issue where errors cancelled compile cause error logs. (Backport PR #​31309, Upstream PR #​30988, @​tommyp1ckles)

Misc Changes:

• Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #​31309, Upstream PR #​31015, @​learnitall)
• chore(deps): update all github action dependencies (v1.13) (#​31485, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (#​31584, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.13) (#​31484, @​renovate[bot])
• cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #​31570, Upstream PR #​31503, @​mhofstetter)
• doc: Clarified GwAPI KPR prerequisites (Backport PR #​31496, Upstream PR #​31366, @​PhilipSchmid)
• docs: Warn on key rotations during upgrades (Backport PR #​31496, Upstream PR #​31437, @​pchaigno)

Other Changes:

• install: Update image digests for v1.13.13 (#​31405, @​thorn3r)
• v1.13: IPsec Fixes (#​31612, @​pchaigno)

v1.13.13: 1.13.13

Compare Source

We are pleased to release Cilium v1.13.13.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

• GHSA-68mj-9pjq-mc85
• GHSA-j89h-qrvr-xc36

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Bugfixes:

• Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #​31161, Upstream PR #​29530, @​jschwinger233)
• Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #​31161, Upstream PR #​29594, @​jschwinger233)
• Fixes proxy issues in egress direction (Backport PR #​31161, Upstream PR #​30095, @​jschwinger233)

CI Changes:

• ci/ipsec: Fix downgrade version retrieval (Backport PR #​31049, Upstream PR #​30742, @​qmonnet)
• ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #​30865, Upstream PR #​30790, @​brlbil)
• CI: Update tested K8S versions across all cloud providers (Backport PR #​30865, Upstream PR #​30795, @​brlbil)
• Fix datapath mode in Network Performance CI test (Backport PR #​30865, Upstream PR #​30756, @​marseel)
• k8s_install.sh: specify the CNI version (Backport PR #​31246, Upstream PR #​31182, @​aanm)
• workflows: Clean IPsec test output (Backport PR #​30801, Upstream PR #​30759, @​pchaigno)

Misc Changes:

• bpf: host: skip from-proxy handling in from-netdev (Backport PR #​31161, Upstream PR #​29962, @​julianwiedmann)
• bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #​31161, Upstream PR #​29721, @​julianwiedmann)
• bugtool: Capture memory fragmentation info from /proc (Backport PR #​31157, Upstream PR #​30966, @​pchaigno)
• Bump google.golang.org/protobuf (v1.13) (#​31312, @​ferozsalam)
• Change ariane config CODEOWNERS (Backport PR #​30865, Upstream PR #​30803, @​brlbil)
• chore(deps): update all github action dependencies (v1.13) (#​30957, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (#​31115, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (#​31298, @​renovate[bot])
• chore(deps): update all github action dependencies to v4 (v1.13) (major) (#​30783, @​renovate[bot])
• chore(deps): update all-dependencies (v1.13) (#​30955, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.13) (#​31295, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.13) (#​30737, @​renovate[bot])
• chore(deps): update go to v1.21.7 (v1.13) (#​30956, @​renovate[bot])
• chore(deps): update go to v1.21.8 (v1.13) (#​31185, @​renovate[bot])
• chore(deps): update hubble cli to v0.13.2 (v1.13) (#​31340, @​renovate[bot])
• chore(deps): update kindest/node docker tag to v1.27.11 (v1.13) (#​31141, @​renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.13) (#​30982, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​30812, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​31142, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​31296, @​renovate[bot])
• docs: Document XfrmInStateInvalid errors (Backport PR #​30801, Upstream PR #​30151, @​pchaigno)
• docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #​31157, Upstream PR #​30462, @​saintdle)
• images: bump cni plugins to v1.4.1 (#​31350, @​aanm)
• pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #​31161, Upstream PR #​29761, @​julianwiedmann)

Other Changes:

• [v1.13] envoy: Bump golang version to 1.21.8 (#​31223, @​sayboras)
• install: Update image digests for v1.13.12 (#​30753, @​michi-covalent)

v1.13.12: 1.13.12

Compare Source

We are pleased to release Cilium v1.13.12. This release contains various bug fixes and performance / usability improvements.

Summary of Changes

Minor Changes:

• api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #​30386, Upstream PR #​30167, @​viktor-kurchenko)
• helm: Add extraVolumeMounts to cilium config init container (Backport PR #​30386, Upstream PR #​30131, @​ayuspin)
• ui: release v0.13.0 (Backport PR #​30723, Upstream PR #​30711, @​geakstr)

Bugfixes:

• Add specific drop reason for missing tail calls if the host datapath is not ready yet (Backport PR #​30315, Upstream PR #​29482, @​ti-mo)
• Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #​30315, Upstream PR #​30248, @​ti-mo)
• Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #​30522, Upstream PR #​30399, @​tlcowling)
• Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #​30679, Upstream PR #​30536, @​hemanthmalla)

CI Changes:

• [v1.13] backport Go version check fixes in preparation for Go 1.21 update (#​30417, @​tklauser)
• ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #​30522, Upstream PR #​30503, @​qmonnet)
• ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #​30679, Upstream PR #​30525, @​tklauser)
• CI: Change cloud regions (Backport PR #​30679, Upstream PR #​30378, @​brlbil)
• gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #​30386, Upstream PR #​30335, @​giorio94)
• gha: make runner type for clustermesh workflows configurable (Backport PR #​30679, Upstream PR #​30496, @​giorio94)
• Network performance (Backport PR #​30679, Upstream PR #​30247, @​marseel)
• Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #​30386, Upstream PR #​30207, @​giorio94)
• Update GitHub upload-artifact action (Backport PR #​30522, Upstream PR #​30443, @​brlbil)

Misc Changes:

• Added Last page Edit on Documentation (Backport PR #​30679, Upstream PR #​30612, @​gailsuccess)
• bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #​30522, Upstream PR #​30410, @​julianwiedmann)
• build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #​30522, Upstream PR #​30219, @​dependabot[bot])
• chore(deps): update go to v1.20.13 (v1.13) (patch) (#​30186, @​renovate[bot])
• chore(deps): update go to v1.21.6 (v1.13) (minor) (#​29817, @​renovate[bot])
• chore(deps): update hubble cli to v0.13.0 (v1.13) (minor) (#​30275, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.13) (patch) (#​30493, @​renovate[bot])
• doc: Add Azure CNI Powered by cilium as external installer (Backport PR #​30386, Upstream PR #​28286, @​tamilmani1989)
• docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #​30522, Upstream PR #​30403, @​f1ko)
• hubble-ui: release v0.12.3 (Backport PR #​30522, Upstream PR #​30422, @​geakstr)
• loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #​30315, Upstream PR #​30214, @​ti-mo)

Other Changes:

• [1.13] Ignore ct buffer drops on minor release downgrades only (#​30270, @​rgo3)
• [v1.13] ci/ipsec: Fix downgrade version for release preparation commits (#​30715, @​qmonnet)
• [v1.13] ci/ipsec: Re-enable node-to-node-encryption check (#​30402, @​qmonnet)
• [v1.13] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode (#​30120, @​antonipp)
• bpf: l3: fix-up kube-proxy workaround in l3_local_delivery() to bpf_overlay (#​30313, @​julianwiedmann)
• envoy: Bump envoy version for x/net library (#​30516, @​sayboras)
• envoy: Bump envoy version to v1.26.7 (#​30694, @​sayboras)
• install: Update image digests for v1.13.11 (#​30317, @​gentoo-root)

v1.13.11: 1.13.11

Compare Source

We are pleased to release Cilium v1.13.11.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. Other fixes include fixes for DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

• Reduce "stale identity observed" warnings (Backport PR #​29997, Upstream PR #​27894, @​leblowl)

Bugfixes:

• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #​30216, Upstream PR #​29239, @​jrajahalme)
• cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #​29997, Upstream PR #​29809, @​marseel)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #​29997, Upstream PR #​29616, @​learnitall)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #​30182, Upstream PR #​29310, @​julianwiedmann)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #​29974, Upstream PR #​29964, @​gandro)
• Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #​30182, Upstream PR #​27908, @​julianwiedmann)

CI Changes:

• Add secondary iface to KIND network (Backport PR #​30010, Upstream PR #​26338, @​ysksuzuki)
• ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #​29702, Upstream PR #​29653, @​brb)
• ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #​30010, Upstream PR #​29514, @​brb)
• ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #​30010, Upstream PR #​29793, @​qmonnet)
• ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #​29847, Upstream PR #​29455, @​mhofstetter)
• ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #​29847, Upstream PR #​29694, @​mhofstetter)
• datapath: Cover subnet encryption in XFRM leak test (Backport PR #​30081, Upstream PR #​27212, @​pchaigno)
• datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #​30081, Upstream PR #​27274, @​brb)
• gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #​30010, Upstream PR #​29485, @​brb)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #​29847, Upstream PR #​29675, @​giorio94)
• node: Integration test for XFRM leaks on node churn (Backport PR #​30081, Upstream PR #​27187, @​pchaigno)
• workflows: Increase IPsec e2e test's timeout (Backport PR #​30267, Upstream PR #​30194, @​julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #​30081, Upstream PR #​29934, @​pchaigno)
• workflows: Make the conn-disrupt test more sensitive (Backport PR #​29702, Upstream PR #​29623, @​pchaigno)

Misc Changes:

• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #​29997, Upstream PR #​29880, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.13) (patch) (#​29850, @​renovate[bot])
• chore(deps): update go (v1.13) (patch) (#​30143, @​renovate[bot])
• doc: Update recommended way for installing cilium on AKS (Backport PR #​30182, Upstream PR #​28910, @​tamilmani1989)
• docs: Fix keyid derivation in IPsec docs (Backport PR #​30081, Upstream PR #​30000, @​brb)
• Fix kind.sh development scripts on MacOS (Backport PR #​30010, Upstream PR #​25317, @​chancez)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #​30182, Upstream PR #​29971, @​renovate[bot])
• hubble: Reduce "stale identities observed" debug messages even more (Backport PR #​29997, Upstream PR #​29957, @​gandro)
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #​29869, Upstream PR #​29801, @​jrfastab)

Other Changes:

• [1.13] Ignore packet drops of type Failed to update or lookup TC buffer (#​30249, @​rgo3)
• [1.13] loader: fix obsolete XDP program removal (#​30231, @​rgo3)
• [v1.13] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#​29741, @​qmonnet)
• [v1.13] go.mod: bump Go to 1.20 (#​29818, @​tklauser)
• [v1.13] node: Fix IP removal from ipset on node updates (#​29898, @​qmonnet)
• install: Update image digests for v1.13.10 (#​29807, @​nebril)
• v1.13: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#​30137, @​pchaigno)
• v1.13: update dependency cilium/cilium-cli to v0.15.19 (#​30136, @​pchaigno)

---

Configuration

📅 Schedule: Branch creation - "on monday and friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.