ipsec:cli:doc: reject key rotations with different keySize, then enable pod-to-pod-with-l7-policy-encryption for IPv6 #37936
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e4faaa5 to
ce82d69
Compare
ce82d69 to
4d5d8d8
Compare
|
/test |
4d5d8d8 to
2234864
Compare
pchaigno
requested changes
Mar 10, 2025
2234864 to
e010564
Compare
pchaigno
approved these changes
Mar 17, 2025
|
Rebasing to pick CI fixes. |
With this commit we explicitly reject key rotations when the newly provided algorithm has a different keyLen than the previous one. This is to prevent potential connectivity disruptions: while accounting for the IPSec overhead for the MTU, we consider the default 16B for keyLen, and we correctly adjust it depending on the algorithm provided in the IPSec secret. However, this adjustment is not performed at runtime upon providing a new key during key rotation. * For IPv4, we never saw the issue, since during the MTU computation we account for the worst case, meanining IPv6, therefore having 20B additional that can be "borrowed" for a higher keyLen during key rotation. * For IPv6 where the MTU computation is just right, there are no bits to borrow. This means that, when providing a new key with greater keyLen, the MTU is not dynamically lowered, therefore we see conn disrupt. This commit also includes the minimal doc change in our IPSec key rotation section to state this behavior. NB: this patch fixes #29480 by preventing this behavior. If we ever plan to support it, we should subscribe to MTU discovery and update it accordingly. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
This commit enables the `pod-to-pod-with-l7-encryption` for IPv6 with IPSec. Prior to this, we used to run this test only for IPv4 due to the issue identified in the previous commit (mtu not dynamically adjusted during key rotation when providing a different keyLen). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
e010564 to
4364e8a
Compare
|
/test |
This was referenced Mar 21, 2025
chris-sanders
added a commit
to chris-sanders/argocd
that referenced
this pull request
Jun 23, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.15.10` -> `1.15.18` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.15.18`](https://github.com/cilium/cilium/releases/tag/v1.15.18): 1.15.18 [Compare Source](https://github.com/cilium/cilium/compare/1.15.17...1.15.18) ## Summary of Changes **Bugfixes:** - Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39511](https://github.com/cilium/cilium/issues/39511), [@​jrajahalme](https://github.com/jrajahalme)) **CI Changes:** - bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39420](https://github.com/cilium/cilium/issues/39420), [@​julianwiedmann](https://github.com/julianwiedmann)) - call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport PR [#​39864](https://github.com/cilium/cilium/issues/39864), Upstream PR [#​37362](https://github.com/cilium/cilium/issues/37362), [@​Artyop](https://github.com/Artyop)) - Re-optimize CI build process (Backport PR [#​39864](https://github.com/cilium/cilium/issues/39864), Upstream PR [#​39802](https://github.com/cilium/cilium/issues/39802), [@​aanm](https://github.com/aanm)) **Misc Changes:** - \[v1.15] deps: bump github.com/osrg/gobgp/v3 to v3.35.0 ([#​39224](https://github.com/cilium/cilium/issues/39224), [@​ferozsalam](https://github.com/ferozsalam)) - Add a section to talk about the native routing masquerading in the cloud environment. (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39343](https://github.com/cilium/cilium/issues/39343), [@​liyihuang](https://github.com/liyihuang)) - bpf: Skip lxc src IP check for proxy traffic (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39530](https://github.com/cilium/cilium/issues/39530), [@​sayboras](https://github.com/sayboras)) - chore(deps): update all github action dependencies (v1.15) ([#​39479](https://github.com/cilium/cilium/issues/39479), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39572](https://github.com/cilium/cilium/issues/39572), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39710](https://github.com/cilium/cilium/issues/39710), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39881](https://github.com/cilium/cilium/issues/39881), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v31 (v1.15) ([#​39612](https://github.com/cilium/cilium/issues/39612), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to [`4c0a181`](https://github.com/cilium/cilium/commit/4c0a181) (v1.15) ([#​39708](https://github.com/cilium/cilium/issues/39708), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to [`86b4cff`](https://github.com/cilium/cilium/commit/86b4cff) (v1.15) ([#​39611](https://github.com/cilium/cilium/issues/39611), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.4 (v1.15) ([#​39953](https://github.com/cilium/cilium/issues/39953), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749031919-98c55b1d0c1154fb6c9e760583c2dcd7778686e2 (v1.15) ([#​39888](https://github.com/cilium/cilium/issues/39888), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626 (v1.15) ([#​39937](https://github.com/cilium/cilium/issues/39937), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39709](https://github.com/cilium/cilium/issues/39709), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) **Other Changes:** - \[v1.15] proxy: Bump cilium/proxy version ([#​39592](https://github.com/cilium/cilium/issues/39592), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.17 ([#​39546](https://github.com/cilium/cilium/issues/39546), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.18@​sha256:106bb45c89e1e0abca82c798b16ccc1f5b1c6cfa1205d811b69989fd1507fc5b` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.18@​sha256:66cb9687dd45c4d014f5d31186cb5609c13183d5a04352d2d9008e88329c59f0` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.18@​sha256:9e205b34ffab2c7b7f9c8b0a7d4f97f2ebb61dd33f4fec061cf146835bcd3b18` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.18@​sha256:a8a4337d518fafdd410dfc1d5cd2c1992f0406127d12ed8fcd683ed55e1e9db0` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.18@​sha256:cefdfcda5a99703024a9d718e69d206844b5f745e4752eeb29797fdb5f19d905` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.18@​sha256:126148f28186ab1704d8dd92d93aa06746f3a1f7c06e650735a32875415c5378` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.18@​sha256:b705c0090b34611f75dc93caef52c7a52aa53a4f72a5fa39885fc08463197d93` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.18@​sha256:ebc7a075ac4c3d95e98f11512853feb700e48f87b5beeff466128bdafb5e0cb9` ##### operator `quay.io/cilium/operator:v1.15.18@​sha256:e0c95bf661245a233b8ad5f0426f1e4ebc69192fc232c9a810577e35a3e43a51` ### [`v1.15.17`](https://github.com/cilium/cilium/releases/tag/v1.15.17): 1.15.17 [Compare Source](https://github.com/cilium/cilium/compare/1.15.16...1.15.17) ## Summary of Changes **Minor Changes:** - Update kafka apiKey helm chart value to true (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​38963](https://github.com/cilium/cilium/issues/38963), [@​kyle-c-simmons](https://github.com/kyle-c-simmons)) **Bugfixes:** - Fix a deadlock when a host has no IPv4 address. (Backport PR [#​39078](https://github.com/cilium/cilium/issues/39078), Upstream PR [#​38938](https://github.com/cilium/cilium/issues/38938), [@​EmilyShepherd](https://github.com/EmilyShepherd)) - Fix bug that would cause the `cilium-dbg encrypt status` command to not list any decryption interfaces when KPR is enabled. (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​39170](https://github.com/cilium/cilium/issues/39170), [@​pchaigno](https://github.com/pchaigno)) - k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38779](https://github.com/cilium/cilium/issues/38779), [@​marseel](https://github.com/marseel)) **CI Changes:** - \[v1.15] .github: provide correct env variables to api/v1 Makefile ([#​39286](https://github.com/cilium/cilium/issues/39286), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] go.mod, vendor: update github.com/cilium/linters to v0.20.0 ([#​39394](https://github.com/cilium/cilium/issues/39394), [@​tklauser](https://github.com/tklauser)) - \[v1.15] l4lb: Support environments with existing veth ([#​39410](https://github.com/cilium/cilium/issues/39410), [@​joestringer](https://github.com/joestringer)) **Misc Changes:** - Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38539](https://github.com/cilium/cilium/issues/38539), [@​liyihuang](https://github.com/liyihuang)) - chore(deps): update all github action dependencies (v1.15) ([#​39055](https://github.com/cilium/cilium/issues/39055), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​39189](https://github.com/cilium/cilium/issues/39189), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39277](https://github.com/cilium/cilium/issues/39277), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.3 (v1.15) ([#​39321](https://github.com/cilium/cilium/issues/39321), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.8 docker digest to [`87bb940`](https://github.com/cilium/cilium/commit/87bb940) (v1.15) ([#​38915](https://github.com/cilium/cilium/issues/38915), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.8 docker digest to [`e54daaa`](https://github.com/cilium/cilium/commit/e54daaa) (v1.15) ([#​39052](https://github.com/cilium/cilium/issues/39052), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.3 (v1.15) ([#​39188](https://github.com/cilium/cilium/issues/39188), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744679528-43b5c0ea620b5fa8c2e32ed79f113aef89f30e6b (v1.15) ([#​38941](https://github.com/cilium/cilium/issues/38941), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.15) ([#​39053](https://github.com/cilium/cilium/issues/39053), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.15) ([#​39228](https://github.com/cilium/cilium/issues/39228), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.15) ([#​39415](https://github.com/cilium/cilium/issues/39415), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38972](https://github.com/cilium/cilium/issues/38972), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39186](https://github.com/cilium/cilium/issues/39186), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39478](https://github.com/cilium/cilium/issues/39478), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore: remove `retention-days` param in `build-images-releases.yaml` (Backport PR [#​39437](https://github.com/cilium/cilium/issues/39437), Upstream PR [#​39431](https://github.com/cilium/cilium/issues/39431), [@​sekhar-isovalent](https://github.com/sekhar-isovalent)) - contrib: Remove kind.sh dependency on git (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39154](https://github.com/cilium/cilium/issues/39154), [@​joestringer](https://github.com/joestringer)) - docs: Add good kernel versions for the L7 policy IPv6 bug (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39212](https://github.com/cilium/cilium/issues/39212), [@​gentoo-root](https://github.com/gentoo-root)) - docs: Document L7 policy IPv6 bug (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38591](https://github.com/cilium/cilium/issues/38591), [@​gentoo-root](https://github.com/gentoo-root)) - docs: Fix casing and formatting in L3 examples section (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39065](https://github.com/cilium/cilium/issues/39065), [@​mikejoh](https://github.com/mikejoh)) - docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​38886](https://github.com/cilium/cilium/issues/38886), [@​auriaave](https://github.com/auriaave)) - Documentation : Modification of eks-clustermesh-prep.rst (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39025](https://github.com/cilium/cilium/issues/39025), [@​rwinieski](https://github.com/rwinieski)) - documentation: fix get deployment cmd (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​39155](https://github.com/cilium/cilium/issues/39155), [@​g0gn](https://github.com/g0gn)) - k8s/resource: Don't Add to WaitGroup asynchronously (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38692](https://github.com/cilium/cilium/issues/38692), [@​joamaki](https://github.com/joamaki)) - make: fix golangci-lint version detection (Backport PR [#​39078](https://github.com/cilium/cilium/issues/39078), Upstream PR [#​38996](https://github.com/cilium/cilium/issues/38996), [@​mhofstetter](https://github.com/mhofstetter)) - workflows: fix lint-workflows (Backport PR [#​39401](https://github.com/cilium/cilium/issues/39401), Upstream PR [#​39398](https://github.com/cilium/cilium/issues/39398), [@​aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] deps: bump golang-jwt to 4.5.2 ([#​39496](https://github.com/cilium/cilium/issues/39496), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] integration: Regenerate consul certs ([#​39350](https://github.com/cilium/cilium/issues/39350), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.16 ([#​38935](https://github.com/cilium/cilium/issues/38935), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.17@​sha256:8824313a6f17d934b4e63902fee71e6ca36be6f69d68ae174df28f1b0705e587` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.17@​sha256:b5ed33d4a9b006ee3ef367a1b3b23468aa6b32c028557e2c1a47dd2659f100a4` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.17@​sha256:9910861a1d7d82a81f416d6d2f776d4195e1c3671999be14d44b12316fd22724` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.17@​sha256:f46adc030903f2804e7c29d8da7cc9e9c4ef846de5eb84ba76cf74f2c483872e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.17@​sha256:74b07708a934fcf335a743d11296e98b32d32d7a79d0940eaba3652ca248960f` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.17@​sha256:7a0fee345e04e99768269ec63511070a8cf0202a5c5ca723d1b2ab4fe4118276` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.17@​sha256:d710a965d783c4294ac07f86ad3044ab1321cdafdec681b5d26b9ca3cfffabd7` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.17@​sha256:a0f5b5dc8cecd4e5ead7d3bddb3756e4b34beba8e7aa089e7e2fb761725defe1` ##### operator `quay.io/cilium/operator:v1.15.17@​sha256:182e44c2533c6b18af64d914c3f7587940c091bb9fb360dacea6430b071b22de` ### [`v1.15.16`](https://github.com/cilium/cilium/releases/tag/v1.15.16): 1.15.16 [Compare Source](https://github.com/cilium/cilium/compare/1.15.15...1.15.16) ## Summary of Changes **Minor Changes:** - datapath: Move WG skb mark check to to-netdev (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​31751](https://github.com/cilium/cilium/issues/31751), [@​brb](https://github.com/brb)) - Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR [#​38401](https://github.com/cilium/cilium/issues/38401), Upstream PR [#​37936](https://github.com/cilium/cilium/issues/37936), [@​smagnani96](https://github.com/smagnani96)) - Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​35900](https://github.com/cilium/cilium/issues/35900), [@​smagnani96](https://github.com/smagnani96)) **Bugfixes:** - bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38592](https://github.com/cilium/cilium/issues/38592), [@​julianwiedmann](https://github.com/julianwiedmann)) - Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​35694](https://github.com/cilium/cilium/issues/35694), [@​julianwiedmann](https://github.com/julianwiedmann)) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38737](https://github.com/cilium/cilium/issues/38737), [@​julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - build: update golangci-lint to v2.0.0 (Backport PR [#​38633](https://github.com/cilium/cilium/issues/38633), Upstream PR [#​38473](https://github.com/cilium/cilium/issues/38473), [@​mhofstetter](https://github.com/mhofstetter)) - ci: build CI images within merge group (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38065](https://github.com/cilium/cilium/issues/38065), [@​marseel](https://github.com/marseel)) - ci: prepare CI Image build for being required (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38320](https://github.com/cilium/cilium/issues/38320), [@​marseel](https://github.com/marseel)) - Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38264](https://github.com/cilium/cilium/issues/38264), [@​smagnani96](https://github.com/smagnani96)) - Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38290](https://github.com/cilium/cilium/issues/38290), [@​smagnani96](https://github.com/smagnani96)) - Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38281](https://github.com/cilium/cilium/issues/38281), [@​smagnani96](https://github.com/smagnani96)) - Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38265](https://github.com/cilium/cilium/issues/38265), [@​smagnani96](https://github.com/smagnani96)) - Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38292](https://github.com/cilium/cilium/issues/38292), [@​smagnani96](https://github.com/smagnani96)) - Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38291](https://github.com/cilium/cilium/issues/38291), [@​smagnani96](https://github.com/smagnani96)) - gh: aws-cni: set --enable-identity-mark=false option (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38738](https://github.com/cilium/cilium/issues/38738), [@​julianwiedmann](https://github.com/julianwiedmann)) - gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​37551](https://github.com/cilium/cilium/issues/37551), [@​jschwinger233](https://github.com/jschwinger233)) - gh: update naming for bpftrace leak detection script (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​37865](https://github.com/cilium/cilium/issues/37865), [@​julianwiedmann](https://github.com/julianwiedmann)) - Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38278](https://github.com/cilium/cilium/issues/38278), [@​smagnani96](https://github.com/smagnani96)) - Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38293](https://github.com/cilium/cilium/issues/38293), [@​smagnani96](https://github.com/smagnani96)) - Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38266](https://github.com/cilium/cilium/issues/38266), [@​smagnani96](https://github.com/smagnani96)) - Refactoring and code comments for the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38263](https://github.com/cilium/cilium/issues/38263), [@​smagnani96](https://github.com/smagnani96)) - Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38297](https://github.com/cilium/cilium/issues/38297), [@​smagnani96](https://github.com/smagnani96)) - Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38280](https://github.com/cilium/cilium/issues/38280), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38289](https://github.com/cilium/cilium/issues/38289), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38287](https://github.com/cilium/cilium/issues/38287), [@​smagnani96](https://github.com/smagnani96)) - Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38268](https://github.com/cilium/cilium/issues/38268), [@​smagnani96](https://github.com/smagnani96)) - test: Update FQDN related domain and IP (Backport PR [#​38771](https://github.com/cilium/cilium/issues/38771), Upstream PR [#​38754](https://github.com/cilium/cilium/issues/38754), [@​sayboras](https://github.com/sayboras)) **Misc Changes:** - \[v1.15] deps: bump package x/net ([#​38360](https://github.com/cilium/cilium/issues/38360), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] Manually fix builder image ([#​38748](https://github.com/cilium/cilium/issues/38748), [@​smagnani96](https://github.com/smagnani96)) - \[v1.15] Update oauth to 0.27.0. ([#​38457](https://github.com/cilium/cilium/issues/38457), [@​kyle-c-simmons](https://github.com/kyle-c-simmons)) - bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​37956](https://github.com/cilium/cilium/issues/37956), [@​julianwiedmann](https://github.com/julianwiedmann)) - bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​32871](https://github.com/cilium/cilium/issues/32871), [@​jibi](https://github.com/jibi)) - chore(deps): update all github action dependencies (v1.15) ([#​38332](https://github.com/cilium/cilium/issues/38332), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​38428](https://github.com/cilium/cilium/issues/38428), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​38719](https://github.com/cilium/cilium/issues/38719), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38305](https://github.com/cilium/cilium/issues/38305), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38443](https://github.com/cilium/cilium/issues/38443), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38697](https://github.com/cilium/cilium/issues/38697), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.15) ([#​38732](https://github.com/cilium/cilium/issues/38732), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.2 (v1.15) ([#​38715](https://github.com/cilium/cilium/issues/38715), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.15) ([#​38333](https://github.com/cilium/cilium/issues/38333), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.15) ([#​38718](https://github.com/cilium/cilium/issues/38718), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.36.1 docker digest to [`e246aa2`](https://github.com/cilium/cilium/commit/e246aa2) (v1.15) ([#​38329](https://github.com/cilium/cilium/issues/38329), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.7 docker digest to [`cb45cf7`](https://github.com/cilium/cilium/commit/cb45cf7) (v1.15) ([#​38330](https://github.com/cilium/cilium/issues/38330), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.8 (v1.15) ([#​38716](https://github.com/cilium/cilium/issues/38716), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update kindest/node docker tag to v1.29.14 (v1.15) ([#​38331](https://github.com/cilium/cilium/issues/38331), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/containerd/containerd to v1.7.27 \[security] (v1.15) ([#​38248](https://github.com/cilium/cilium/issues/38248), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.15) ([#​38259](https://github.com/cilium/cilium/issues/38259), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.6-1742515223-dd05ea7be73de22390a6542e87f1834ef0d61ec9 (v1.15) ([#​38386](https://github.com/cilium/cilium/issues/38386), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.15) ([#​38775](https://github.com/cilium/cilium/issues/38775), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38318](https://github.com/cilium/cilium/issues/38318), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38717](https://github.com/cilium/cilium/issues/38717), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38173](https://github.com/cilium/cilium/issues/38173), [@​yrsuthari](https://github.com/yrsuthari)) - docs: clarify hubble flow filter match semantics (Backport PR [#​38702](https://github.com/cilium/cilium/issues/38702), Upstream PR [#​38657](https://github.com/cilium/cilium/issues/38657), [@​devodev](https://github.com/devodev)) - Documentation: "cilium config set" restarts by default (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38114](https://github.com/cilium/cilium/issues/38114), [@​joamaki](https://github.com/joamaki)) - Documentation: fix mentions of per-node `cilium-dbg` tool (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38276](https://github.com/cilium/cilium/issues/38276), [@​tklauser](https://github.com/tklauser)) - images: bump distroless to static (Backport PR [#​38696](https://github.com/cilium/cilium/issues/38696), Upstream PR [#​38647](https://github.com/cilium/cilium/issues/38647), [@​kaworu](https://github.com/kaworu)) - pkg/endpoint: fix race in unit test (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38129](https://github.com/cilium/cilium/issues/38129), [@​squeed](https://github.com/squeed)) - remove the endpointRoutes for aws cni in the doc (Backport PR [#​38702](https://github.com/cilium/cilium/issues/38702), Upstream PR [#​38381](https://github.com/cilium/cilium/issues/38381), [@​liyihuang](https://github.com/liyihuang)) - wireguard: attach Ingress program for native routing mode configurations (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​37108](https://github.com/cilium/cilium/issues/37108), [@​julianwiedmann](https://github.com/julianwiedmann)) **Other Changes:** - \[v1.15] images: Update runtime and builder image ([#​38382](https://github.com/cilium/cilium/issues/38382), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.15 ([#​38206](https://github.com/cilium/cilium/issues/38206), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - proxy: Bump envoy version to 1.32.x ([#​38449](https://github.com/cilium/cilium/issues/38449), [@​sayboras](https://github.com/sayboras)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.16@​sha256:17dc69791a5d28a1ea88c149c6798cc9608ebb66c5e8b79a88453207f0cb55a1` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.16@​sha256:6198f79a3f286ac2050349e78474e00ac1e28100b550e075cc724aa8283143af` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.16@​sha256:e50b3c41b472d28a1cbc359b2365a6f657daf57eb38f67cff43b42c16602f870` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.16@​sha256:e1e2c6740fc093dc6cf9c486ba66eb68e5ab1a58fe90a9669868cd24b5dc2a0e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.16@​sha256:1f314bba1c3e7d95a011fc0f0f3945fefc1cbbd3adae7e63e7fac3f923b2163e` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.16@​sha256:5cc6fd7202470c53b06a155748cf3ebe169bac01199bc49e86040dad71d29f69` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.16@​sha256:0d33a1564a0d30c10963c28e9ee1355371c62a2b4af6320b7bf80eb36210fb06` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.16@​sha256:0467e7bc9929a4ed49d9d8a4dee8e0844ee5e711bb41cde63dc6ea0d0eb8f20a` ##### operator `quay.io/cilium/operator:v1.15.16@​sha256:059214812db468cc7b2dc04cde012f95c2e311a5acb5e2391d2656d7af0c8cfe` ### [`v1.15.15`](https://github.com/cilium/cilium/releases/tag/v1.15.15): 1.15.15 [Compare Source](https://github.com/cilium/cilium/compare/1.15.14...1.15.15) ## Summary of Changes **Minor Changes:** - docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37989](https://github.com/cilium/cilium/issues/37989), [@​oblazek](https://github.com/oblazek)) **Bugfixes:** - Egress route reconciliation (Backport PR [#​38124](https://github.com/cilium/cilium/issues/38124), Upstream PR [#​37962](https://github.com/cilium/cilium/issues/37962), [@​dylandreimerink](https://github.com/dylandreimerink)) - Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37419](https://github.com/cilium/cilium/issues/37419), [@​javanthropus](https://github.com/javanthropus)) - Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37818](https://github.com/cilium/cilium/issues/37818), [@​haozhangami](https://github.com/haozhangami)) - Fix: cilium-operator no longer patches services on shutdown (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37967](https://github.com/cilium/cilium/issues/37967), [@​rsafonseca](https://github.com/rsafonseca)) **CI Changes:** - .github: Remove misleading step from ipsec workflow (Backport PR [#​37744](https://github.com/cilium/cilium/issues/37744), Upstream PR [#​37681](https://github.com/cilium/cilium/issues/37681), [@​joestringer](https://github.com/joestringer)) - ci: add leak detection to conformance-ipsec-upgrade (Backport PR [#​36576](https://github.com/cilium/cilium/issues/36576), Upstream PR [#​36377](https://github.com/cilium/cilium/issues/36377), [@​smagnani96](https://github.com/smagnani96)) - CI: GKE backslash missing disable insecure kubelet (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37850](https://github.com/cilium/cilium/issues/37850), [@​auriaave](https://github.com/auriaave)) - CI: GKE, disable insecure kubelet readonly port (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37844](https://github.com/cilium/cilium/issues/37844), [@​auriaave](https://github.com/auriaave)) - ci: switch to monitor aggregation medium (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​38036](https://github.com/cilium/cilium/issues/38036), [@​marseel](https://github.com/marseel)) - Cleanups after LLVM upgrade. (Backport PR [#​37800](https://github.com/cilium/cilium/issues/37800), Upstream PR [#​32067](https://github.com/cilium/cilium/issues/32067), [@​gentoo-root](https://github.com/gentoo-root)) **Misc Changes:** - .github: add missing files to build-image base images ([#​38066](https://github.com/cilium/cilium/issues/38066), [@​aanm](https://github.com/aanm)) - chore(deps): update all github action dependencies (v1.15) ([#​37954](https://github.com/cilium/cilium/issues/37954), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37999](https://github.com/cilium/cilium/issues/37999), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38050](https://github.com/cilium/cilium/issues/38050), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.15) ([#​37953](https://github.com/cilium/cilium/issues/37953), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.15) ([#​38078](https://github.com/cilium/cilium/issues/38078), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.7 (v1.15) ([#​38000](https://github.com/cilium/cilium/issues/38000), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 \[security] (v1.15) ([#​37835](https://github.com/cilium/cilium/issues/37835), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.15) ([#​38150](https://github.com/cilium/cilium/issues/38150), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: fix broken links (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37995](https://github.com/cilium/cilium/issues/37995), [@​nueavv](https://github.com/nueavv)) - Fix helm value for IPAM Multi-Pool (Backport PR [#​38013](https://github.com/cilium/cilium/issues/38013), Upstream PR [#​37963](https://github.com/cilium/cilium/issues/37963), [@​saintdle](https://github.com/saintdle)) - images: update cilium-runtime/builder images ([#​38186](https://github.com/cilium/cilium/issues/38186), [@​jrajahalme](https://github.com/jrajahalme)) - Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37806](https://github.com/cilium/cilium/issues/37806), [@​rolinh](https://github.com/rolinh)) **Other Changes:** - \[v1.15] Revert "chore(deps): update dependency cilium/cilium-cli to v0.18.0" ([#​38004](https://github.com/cilium/cilium/issues/38004), [@​julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.15.14 ([#​37710](https://github.com/cilium/cilium/issues/37710), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - v1.15: gh/workflows: Remove conformance-externalworkloads ([#​37740](https://github.com/cilium/cilium/issues/37740), [@​brb](https://github.com/brb)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.15@​sha256:d389a21c8ceefbb86e7f1a15b18a5a6a5b372431b2528314fa456133a7617e7a` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.15@​sha256:cec3446d019af240d99ae14f8550fb7f59c02066535130f4b609fadb5b63f79b` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.15@​sha256:abe0e3fb8f3826e21b93cba3b5b8bc153b8bc50f7b7a1defd8dee01ae3a87898` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.15@​sha256:2dd532b06f802303634515172c40592d79e06cfad579c98411ad976879a0c099` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.15@​sha256:023a341d0b873321a952dc3526be791db212a261e3de8e5c38064cc4a17da096` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.15@​sha256:fdffd54ba7d2ded8d893b14d37c4afdf29bf2c6404f2da3d1eba0bab788972fc` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.15@​sha256:e34a52ca2503ef9168a2710431c341b780c55303aabea7d4183bc619d4ce0ed9` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.15@​sha256:6f107958d9028a5a43efa7aaef941b3ae7f7e8f479ff9e4408b116a5eda56abe` ##### operator `quay.io/cilium/operator:v1.15.15@​sha256:99d7fceaf5814dfe5aae37e6dcd55ed75ac937dd5ce8e347c0dc8ad169cd7559` ### [`v1.15.14`](https://github.com/cilium/cilium/releases/tag/v1.15.14): 1.15.14 [Compare Source](https://github.com/cilium/cilium/compare/1.15.13...1.15.14) ## Summary of Changes **Bugfixes:** - Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37086](https://github.com/cilium/cilium/issues/37086), [@​giorio94](https://github.com/giorio94)) - Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​36103](https://github.com/cilium/cilium/issues/36103), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) - Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​36504](https://github.com/cilium/cilium/issues/36504), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) **CI Changes:** - \[v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (Backport PR [#​37646](https://github.com/cilium/cilium/issues/37646), Upstream PR [#​37380](https://github.com/cilium/cilium/issues/37380), [@​giorio94](https://github.com/giorio94)) - gh: harmonize lvh kernel naming scheme (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37322](https://github.com/cilium/cilium/issues/37322), [@​julianwiedmann](https://github.com/julianwiedmann)) - gh: update removed --loglevel option for kind (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36935](https://github.com/cilium/cilium/issues/36935), [@​julianwiedmann](https://github.com/julianwiedmann)) - gha: fix retrieval of DNS server in conformance external workloads (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37361](https://github.com/cilium/cilium/issues/37361), [@​giorio94](https://github.com/giorio94)) - gha: Retrieve eks supported version via aws cli (Backport PR [#​37224](https://github.com/cilium/cilium/issues/37224), Upstream PR [#​37210](https://github.com/cilium/cilium/issues/37210), [@​sayboras](https://github.com/sayboras)) - Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36364](https://github.com/cilium/cilium/issues/36364), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36962](https://github.com/cilium/cilium/issues/36962), [@​smagnani96](https://github.com/smagnani96)) - test: Move demo-httpd from Docker to Quay (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37149](https://github.com/cilium/cilium/issues/37149), [@​joestringer](https://github.com/joestringer)) - test: Move the dind image to Quay to avoid rate-limiting (Backport PR [#​37442](https://github.com/cilium/cilium/issues/37442), Upstream PR [#​37388](https://github.com/cilium/cilium/issues/37388), [@​pchaigno](https://github.com/pchaigno)) **Misc Changes:** - \[v1.15] deps: bump grpc-go to v1.64.1 ([#​37628](https://github.com/cilium/cilium/issues/37628), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] docs: Update requirements.txt dependencies ([#​37619](https://github.com/cilium/cilium/issues/37619), [@​joestringer](https://github.com/joestringer)) - chore(deps): update actions/setup-go action to v5.3.0 (v1.15) ([#​37118](https://github.com/cilium/cilium/issues/37118), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37101](https://github.com/cilium/cilium/issues/37101), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37245](https://github.com/cilium/cilium/issues/37245), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37508](https://github.com/cilium/cilium/issues/37508), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37034](https://github.com/cilium/cilium/issues/37034), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37344](https://github.com/cilium/cilium/issues/37344), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37665](https://github.com/cilium/cilium/issues/37665), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.15) ([#​37339](https://github.com/cilium/cilium/issues/37339), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.6 (v1.15) ([#​37216](https://github.com/cilium/cilium/issues/37216), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.0 (v1.15) ([#​37507](https://github.com/cilium/cilium/issues/37507), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.1 (v1.15) ([#​37590](https://github.com/cilium/cilium/issues/37590), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.15) ([#​37217](https://github.com/cilium/cilium/issues/37217), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.15) ([#​37506](https://github.com/cilium/cilium/issues/37506), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v29 (v1.15) ([#​37509](https://github.com/cilium/cilium/issues/37509), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.11 (v1.15) ([#​37046](https://github.com/cilium/cilium/issues/37046), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.6 (v1.15) ([#​37498](https://github.com/cilium/cilium/issues/37498), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.1.17 (v1.15) ([#​37100](https://github.com/cilium/cilium/issues/37100), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.15) ([#​37202](https://github.com/cilium/cilium/issues/37202), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - doc(glossary): Geneve as final RFC (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37316](https://github.com/cilium/cilium/issues/37316), [@​alagoutte](https://github.com/alagoutte)) - doc: eks cluster restriction removed (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37043](https://github.com/cilium/cilium/issues/37043), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) - doc: Removed nodeinit from aks byocni install (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37048](https://github.com/cilium/cilium/issues/37048), [@​PhilipSchmid](https://github.com/PhilipSchmid)) - docs: Add SNI policy example (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37234](https://github.com/cilium/cilium/issues/37234), [@​sayboras](https://github.com/sayboras)) - docs: pass current_version to html_context (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37008](https://github.com/cilium/cilium/issues/37008), [@​ayuspin](https://github.com/ayuspin)) - Fix API generation and add trusted dependencies to renovate config (Backport PR [#​37646](https://github.com/cilium/cilium/issues/37646), Upstream PR [#​36957](https://github.com/cilium/cilium/issues/36957), [@​aanm](https://github.com/aanm)) - images/builder: let renovate update protoc and proto plugins (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​32739](https://github.com/cilium/cilium/issues/32739), [@​rolinh](https://github.com/rolinh)) - images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​34488](https://github.com/cilium/cilium/issues/34488), [@​tklauser](https://github.com/tklauser)) - Remove outdated roadmap matrix and links to it (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37170](https://github.com/cilium/cilium/issues/37170), [@​xmulligan](https://github.com/xmulligan)) - renovate: add fix grpc-go autodetection (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​33570](https://github.com/cilium/cilium/issues/33570), [@​aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] envoy: Bump envoy version to v1.31.x ([#​37161](https://github.com/cilium/cilium/issues/37161), [@​sayboras](https://github.com/sayboras)) - \[v1.15] gha: Retrieve eks supported version via aws cli ([#​37230](https://github.com/cilium/cilium/issues/37230), [@​sayboras](https://github.com/sayboras)) - chore(deps): update go to v1.23.5 (v1.15) ([#​37197](https://github.com/cilium/cilium/issues/37197), [@​sayboras](https://github.com/sayboras)) - Cilium avoids running out of space in policy maps by cleaning up entries in specific cases previously missed. ([#​36884](https://github.com/cilium/cilium/issues/36884), [@​bimmlerd](https://github.com/bimmlerd)) - gha: Fix feature test artifact upload ([#​37205](https://github.com/cilium/cilium/issues/37205), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.13 ([#​37153](https://github.com/cilium/cilium/issues/37153), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.14@​sha256:f9599990748b0065990154dce0fc0ebec6baef55fd2125c9b710e03f61c7f4e6` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.14@​sha256:1821eaa3597c3ec24fbc5b50e3dfb48358bc15e9104c3e3422da474052821f5b` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.14@​sha256:ba840a1c16a0989b74f1bc4057c5630be9a290c64d6cfc00664ef39142da88b4` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.14@​sha256:e0445a89ca8e9089637c0914aa85f6f3305a80be3ddc68ad8bf4262e284654e7` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.14@​sha256:4434a0b36f558f5bb30b997b1c73e8cd9bce8dcc3fb27b86f43860cbab4aa12d` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.14@​sha256:642dd93c60dd8e161ab5c523a13b872cbfee80b092029ae62b55979ac5639231` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.14@​sha256:f6537984cce9df702ea6bc7acc37ccdc19e7c50d88eb716fb217dc2ab65a7081` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.14@​sha256:f4a23024a6eb3cba7f1f4b65c79bc9e1e675787d04a12253df22dbf623b76825` ##### operator `quay.io/cilium/operator:v1.15.14@​sha256:ccdeb2b56005e565fd4bff895b80803a28029077bd27e1c4bbc05143dbc82925` ### [`v1.15.13`](https://github.com/cilium/cilium/releases/tag/v1.15.13): 1.15.13 [Compare Source](https://github.com/cilium/cilium/compare/1.15.12...1.15.13) ## Summary of Changes **Major Changes:** - Add feature tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​35852](https://github.com/cilium/cilium/issues/35852), [@​aanm](https://github.com/aanm)) - Add feature tracking in Cilium Operator as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36077](https://github.com/cilium/cilium/issues/36077), [@​aanm](https://github.com/aanm)) **Minor Changes:** - envoy: Use yaml format for bootstrap config (Backport PR [#​36864](https://github.com/cilium/cilium/issues/36864), Upstream PR [#​36820](https://github.com/cilium/cilium/issues/36820), [@​sayboras](https://github.com/sayboras)) - Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs ([#​36560](https://github.com/cilium/cilium/issues/36560), [@​pippolo84](https://github.com/pippolo84)) **Bugfixes:** - envoy: Configure internal address config based on IP family (Backport PR [#​36864](https://github.com/cilium/cilium/issues/36864), Upstream PR [#​36733](https://github.com/cilium/cilium/issues/36733), [@​sayboras](https://github.com/sayboras)) - metrics/features: remove reporting metrics' defaults by default (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36298](https://github.com/cilium/cilium/issues/36298), [@​aanm](https://github.com/aanm)) - ui: drop CORS headers from api response (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​35762](https://github.com/cilium/cilium/issues/35762), [@​geakstr](https://github.com/geakstr)) **CI Changes:** - \[v1.15] .github: Remove CI Fuzz workflow ([#​36642](https://github.com/cilium/cilium/issues/36642), [@​joestringer](https://github.com/joestringer)) - \[v1.15] gha: bump ubuntu version in conformance-externalworkloads ([#​36857](https://github.com/cilium/cilium/issues/36857), [@​giorio94](https://github.com/giorio94)) - \[v1.15] gha: use /test to trigger tests in stable branches ([#​36674](https://github.com/cilium/cilium/issues/36674), [@​giorio94](https://github.com/giorio94)) - \[v1.15] Unblock verifier test LVH image updates ([#​36689](https://github.com/cilium/cilium/issues/36689), [@​tklauser](https://github.com/tklauser)) - ci: fix job names for various ci workflows (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36397](https://github.com/cilium/cilium/issues/36397), [@​marseel](https://github.com/marseel)) - Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​33398](https://github.com/cilium/cilium/issues/33398), [@​giorio94](https://github.com/giorio94)) - gh: e2e-upgrade: de-renovate the config example (Backport PR [#​36638](https://github.com/cilium/cilium/issues/36638), Upstream PR [#​36463](https://github.com/cilium/cilium/issues/36463), [@​julianwiedmann](https://github.com/julianwiedmann)) - gha: correctly downgrade to patch release in ipsec workflows (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36858](https://github.com/cilium/cilium/issues/36858), [@​giorio94](https://github.com/giorio94)) - gha: merge artifacts in net-perf-gke workflow (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36236](https://github.com/cilium/cilium/issues/36236), [@​giorio94](https://github.com/giorio94)) - gha: Use ubuntu-24.04 for integration-test (Backport PR [#​36660](https://github.com/cilium/cilium/issues/36660), Upstream PR [#​36628](https://github.com/cilium/cilium/issues/36628), [@​sayboras](https://github.com/sayboras)) - Use Clang from cilium-builder image to build BPF code in CI (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​31754](https://github.com/cilium/cilium/issues/31754), [@​gentoo-root](https://github.com/gentoo-root)) **Misc Changes:** - .github/workflows: always install cilium-cli (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36234](https://github.com/cilium/cilium/issues/36234), [@​aanm](https://github.com/aanm)) - .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36461](https://github.com/cilium/cilium/issues/36461), [@​aanm](https://github.com/aanm)) - .github: fix conformance-k8s NP test (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36355](https://github.com/cilium/cilium/issues/36355), [@​aanm](https://github.com/aanm)) - \[v1.15] Use bash syntax to consume env variable ([#​36634](https://github.com/cilium/cilium/issues/36634), [@​ferozsalam](https://github.com/ferozsalam)) - Add more features tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36078](https://github.com/cilium/cilium/issues/36078), [@​aanm](https://github.com/aanm)) - Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36203](https://github.com/cilium/cilium/issues/36203), [@​aanm](https://github.com/aanm)) - build: Remove debug leftover from Makefile (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36917](https://github.com/cilium/cilium/issues/36917), [@​gentoo-root](https://github.com/gentoo-root)) - chore(deps): update all github action dependencies (v1.15) ([#​36616](https://github.com/cilium/cilium/issues/36616), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​36951](https://github.com/cilium/cilium/issues/36951), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#​36445](https://github.com/cilium/cilium/issues/36445), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​36613](https://github.com/cilium/cilium/issues/36613), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​36903](https://github.com/cilium/cilium/issues/36903), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.15) ([#​36891](https://github.com/cilium/cilium/issues/36891), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.5 (v1.15) ([#​36764](https://github.com/cilium/cilium/issues/36764), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.10 docker digest to [`1a6e657`](https://github.com/cilium/cilium/commit/1a6e657) (v1.15) ([#​36614](https://github.com/cilium/cilium/issues/36614), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​36765](https://github.com/cilium/cilium/issues/36765), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Clarify Identity-Relevant Labels description (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36924](https://github.com/cilium/cilium/issues/36924), [@​joestringer](https://github.com/joestringer)) - docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR [#​36638](https://github.com/cilium/cilium/issues/36638), Upstream PR [#​36549](https://github.com/cilium/cilium/issues/36549), [@​verysonglaa](https://github.com/verysonglaa)) - Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​36788](https://github.com/cilium/cilium/issues/36788), [@​gentoo-root](https://github.com/gentoo-root)) - fix(deps): update module golang.org/x/net to v0.33.0 \[security] (v1.15) ([#​36712](https://github.com/cilium/cilium/issues/36712), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - ingress, gateway-api: Convert test fixtures to file based (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​36732](https://github.com/cilium/cilium/issues/36732), [@​sayboras](https://github.com/sayboras)) - metrics/features: enable ClusterMesh (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36402](https://github.com/cilium/cilium/issues/36402), [@​aanm](https://github.com/aanm)) - metrics/features: refactor metric names (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36209](https://github.com/cilium/cilium/issues/36209), [@​aanm](https://github.com/aanm)) - Remove reference to DNS polling (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​36679](https://github.com/cilium/cilium/issues/36679), [@​JacobHenner](https://github.com/JacobHenner)) **Other Changes:** - \[v1.15] envoy: Demote expected initial fetch timeout warning to info level ([#​37014](https://github.com/cilium/cilium/issues/37014), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.12 ([#​36655](https://github.com/cilium/cilium/issues/36655), [@​cilium-release-bot](https…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #37051