fix(deps): update module github.com/cilium/cilium to v1.15.8 [security] (v1.0) - abandoned - autoclosed

[cilium-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cilium/cilium	require	patch	v1.15.0-pre.1 -> v1.15.8

GitHub Vulnerability Alerts

CVE-2024-42488

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

• All versions of Cilium before v1.14.14
• Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

• Cilium v1.14.14
• Cilium v1.15.8

Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-42487

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
• Cilium v1.16.0

This issue is fixed in:

• Cilium v1.15.8
• Cilium v1.16.1

Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-42486

Impact

Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.

Patches

This issue was resolved in https://github.com/cilium/cilium/pull/34032.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
• Cilium v1.16.0

This issue has been patched in:

• Cilium v1.15.8
• Cilium v1.16.1

Workarounds

Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.15.8: 1.15.8

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

• GHSA-vwf8-q6fw-4wcm
• GHSA-qcm3-7879-xcww
• GHSA-q7w8-72mr-vpgw

Summary of Changes

Minor Changes:

• helm: Add validation to prevent users from using deprecated values that have been removed (#​34213, @​chancez)
• helm: Cleanup old k8s version check and deprecated atributes (Backport PR #​34157, Upstream PR #​31940, @​sayboras)
• Make hubble-relay more resilient to transient errors (Backport PR #​34157, Upstream PR #​33894, @​chancez)

Bugfixes:

• add support for validation of stringToString values in ConfigMap (Backport PR #​33962, Upstream PR #​33779, @​alex-berger)
• auth: Fix data race in Upsert (Backport PR #​34157, Upstream PR #​33905, @​chaunceyjiang)
• auth: fix fatal error: concurrent map iteration and map write (Backport PR #​33809, Upstream PR #​33634, @​chaunceyjiang)
• cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #​33809, Upstream PR #​33616, @​mrproliu)
• DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #​33809, Upstream PR #​33592, @​gandro)
• Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started.
  Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #​33818, Upstream PR #​33629, @​joamaki)
• Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #​34183, Upstream PR #​34091, @​giorio94)
• Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
  Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #​34086, Upstream PR #​34012, @​joamaki)
• Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #​33809, Upstream PR #​33735, @​giorio94)
• Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #​33663, Upstream PR #​33511, @​skmatti)
• gateway-api: Add HTTP method condition in sortable routes (Backport PR #​34157, Upstream PR #​34109, @​sayboras)
• gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #​34157, Upstream PR #​34032, @​sayboras)
• helm: remove duplicate metrics for Envoy pod (Backport PR #​34157, Upstream PR #​33803, @​mhofstetter)
• lbipam: fixed bug in sharing key logic (Backport PR #​34157, Upstream PR #​34106, @​dylandreimerink)
• pkg/metrics: fix data race warning on metrics init hook. (Backport PR #​33962, Upstream PR #​33823, @​tommyp1ckles)
• Reduce conntrack lifetime for closing service connections. (Backport PR #​33962, Upstream PR #​33907, @​julianwiedmann)
• Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #​33809, Upstream PR #​33306, @​skmatti)
• The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #​34157, Upstream PR #​33666, @​bimmlerd)

CI Changes:

• [v1.15] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel (#​33736, @​julianwiedmann)
• [v1.15] gh/e2e: fix up config 15 to not use bpf-next (#​33738, @​julianwiedmann)
• gha: Add http client timeout in Ingress (Backport PR #​33809, Upstream PR #​33683, @​sayboras)
• gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #​33962, Upstream PR #​33819, @​giorio94)
• gha: ensure that helm values.schema.json is not accidentally backported (#​33845, @​giorio94)
• gha: lint absence of trailing spaces in workflow files (Backport PR #​34157, Upstream PR #​33908, @​giorio94)
• gha: simplify the call-backport-label-updater workflow (Backport PR #​33962, Upstream PR #​33934, @​giorio94)
• test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #​34157, Upstream PR #​34004, @​tommyp1ckles)
• tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR #​34157, Upstream PR #​34121, @​michi-covalent)
• workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #​33809, Upstream PR #​33769, @​pchaigno)

Misc Changes:

• [v1.15] Update Docker dependency (#​34196, @​ferozsalam)
• bugtool: dumping more Envoy information (Backport PR #​34157, Upstream PR #​34110, @​mhofstetter)
• chore(deps): update all github action dependencies (v1.15) (#​34170, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33649, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​34168, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (#​33793, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) (#​33794, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1 (v1.15) (#​34051, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.12 docker digest to 7e0e13a (v1.15) (#​33792, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.5 (v1.15) (#​33857, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.6 (v1.15) (#​34167, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33798, @​cilium-renovate[bot])
• daemon/ipam: don't swallow parse error of CIDR (Backport PR #​33809, Upstream PR #​33283, @​bimmlerd)
• doc: update slack channel reference (Backport PR #​34157, Upstream PR #​34044, @​Huweicai)
• docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #​33809, Upstream PR #​33655, @​aditighag)
• docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR #​33809, Upstream PR #​33725, @​brb)
• docs: Extend LRP guide with troubleshooting section (Backport PR #​33809, Upstream PR #​33373, @​aditighag)
• docs: generalize version specific notes section (Backport PR #​33962, Upstream PR #​33888, @​giorio94)
• docs: Remove CNCF graduation from the roadmap (Backport PR #​33809, Upstream PR #​33680, @​joestringer)
• docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #​33809, Upstream PR #​33626, @​giorio94)
• docs: Update LVH VM image pull instructions (Backport PR #​33809, Upstream PR #​33621, @​brb)
• Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #​33809, Upstream PR #​33708, @​Mais316)
• helm: Allow socket linger timeout to be set to zero (Backport PR #​33962, Upstream PR #​33887, @​gandro)
• policy: Fix mapstate.Diff() used in tests (Backport PR #​33809, Upstream PR #​33449, @​jrajahalme)
• Remove stable tags from v1.15 releases (#​33985, @​joestringer)
• renovate: onboard etcd image used in integration tests (Backport PR #​33809, Upstream PR #​33679, @​giorio94)
• Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #​34306, Upstream PR #​34277, @​aanm)

Other Changes:

• [v1.15] ci: use base and head SHAs from context in lint-build-commits workflow (#​34267, @​tklauser)
• [v1.15] Revert "docs: Update LRP feature status" (#​34238, @​ysksuzuki)
• Fix bug in Bandwidth Manager that caused it to not find native devices. (#​33910, @​joamaki)
• install: Update image digests for v1.15.7 (#​33744, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.8@​sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.8@​sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e

docker-plugin

quay.io/cilium/docker-plugin:v1.15.8@​sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310

hubble-relay

quay.io/cilium/hubble-relay:v1.15.8@​sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.8@​sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1

operator-aws

quay.io/cilium/operator-aws:v1.15.8@​sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1

operator-azure

quay.io/cilium/operator-azure:v1.15.8@​sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21

operator-generic

quay.io/cilium/operator-generic:v1.15.8@​sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18

operator

quay.io/cilium/operator:v1.15.8@​sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c

v1.15.7: 1.15.7

Compare Source

Summary of Changes

We are pleased to release Cilium v1.15.7, which makes the load balancer class of the Clustermesh API server configurable and includes stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!

Minor Changes:

• helm: loadBalancerClass for Cluster Mesh APIserver (Backport PR #​33342, Upstream PR #​33033, @​PhilipSchmid)
• ui: v0.13.1 release (Backport PR #​33223, Upstream PR #​32852, @​geakstr)

Bugfixes:

• bgpv1: reorder neighbor creation and deletion steps (Backport PR #​33378, Upstream PR #​33262, @​harsimran-pabla)
• datapath: Fix redirect from from L3 netdev to tunnel (Backport PR #​33529, Upstream PR #​33421, @​brb)
• Datasource error fixed for Hubble DNS and Network dashboards (Backport PR #​33631, Upstream PR #​30580, @​Pionerd)
• egress-gateway: Validate ep identity before fetching labels (Backport PR #​33529, Upstream PR #​33311, @​pippolo84)
• envoy: Avoid short circuit backend filtering (Backport PR #​33533, Upstream PR #​33403, @​sayboras)
• Fix #​32587 concurrent hubble dynamic exporter stop and reload (Backport PR #​33098, Upstream PR #​33000, @​marqc)
• Fix hubble metrics leak by using CiliumEndpoint watcher to remove stale metrics. (Backport PR #​33529, Upstream PR #​33260, @​sgargan)
• Fix rare spurious double reconnection upon clustermesh configuration change for remote cluster (Backport PR #​33378, Upstream PR #​33248, @​giorio94)
• Fix too many open Unix sockets (Backport PR #​33631, Upstream PR #​33569, @​chaunceyjiang)
• gateway-api: Check for matching controller name (Backport PR #​33223, Upstream PR #​33050, @​sayboras)
• Generate SBOM from the correct release image (#​33052, @​ferozsalam)
• helm: Decouple sysctlfix from cgroup.autoMount (Backport PR #​33010, Upstream PR #​32866, @​YutaroHayakawa)
• ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport PR #​33631, Upstream PR #​33512, @​jasonaliyetti)
• IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport PR #​33529, Upstream PR #​33448, @​jrajahalme)
• Recreate CT entries for non-TCP to fix L7 proxy redirect failures. (Backport PR #​33378, Upstream PR #​33222, @​ysksuzuki)
• Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #​33631, Upstream PR #​33551, @​julianwiedmann)
• Revert PR #​32244 which caused unintended side-effects that negatively impacted network performance. (Backport PR #​33378, Upstream PR #​33304, @​learnitall)
• socketlb: tolerate cgroupv1 when detaching bpf programs (Backport PR #​33631, Upstream PR #​33599, @​rgo3)
• Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport PR #​33631, Upstream PR #​33472, @​jasonaliyetti)
• When the Bandwidth Manager feature is enabled, don't apply Egress rate-limiting to "Port unreachable" ICMP replies by Cilium's North-South Loadbalancer. (Backport PR #​33631, Upstream PR #​33624, @​julianwiedmann)

CI Changes:

• [v1.15] Disable release SBOM asset uploads (#​33072, @​ferozsalam)
• Bump CLI to v0.16.11 (Backport PR #​33529, Upstream PR #​33444, @​brb)
• ci: Add IPsec leak detection for ci-ipsec-e2e (Backport PR #​33047, Upstream PR #​32930, @​jschwinger233)
• ci: l4lb: Don't hang on gathering logs forever (Backport PR #​33010, Upstream PR #​32947, @​joestringer)
• gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport PR #​33631, Upstream PR #​33509, @​julianwiedmann)
• gha: Only retrieve IPv4 CIDR from docker network (Backport PR #​33110, Upstream PR #​33093, @​sayboras)
• workflows: e2e-upgrade: fix EXTRA parameters (Backport PR #​33223, Upstream PR #​33150, @​jibi)

Misc Changes:

• .github: add workflow for renovate to build base images (Backport PR #​33346, Upstream PR #​33326, @​aanm)
• .github: fix cloud workflows for renovate (Backport PR #​33321, Upstream PR #​33320, @​aanm)
• .github: fix worfklows used by renovate (Backport PR #​33317, Upstream PR #​33309, @​aanm)
• [v1.15] remove tracking of backports with MLH (#​33124, @​aanm)
• Add auto-merge for renovate for trusted dependencies (Backport PR #​33317, Upstream PR #​33287, @​aanm)
• bpf: ct: return actual error from CT lookup (Backport PR #​33378, Upstream PR #​33225, @​julianwiedmann)
• bpf: encap: fix ifindex in TO_OVERLAY trace notification (Backport PR #​33575, Upstream PR #​33083, @​julianwiedmann)
• bpf: lxc: fix ifindex in TO_ENDPOINT trace notification (Backport PR #​33575, Upstream PR #​33085, @​julianwiedmann)
• bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() (Backport PR #​33378, Upstream PR #​33181, @​julianwiedmann)
• build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (Backport PR #​33378, Upstream PR #​33218, @​dependabot[bot])
• build-images-base: cancel github runs based on branch name (Backport PR #​33378, Upstream PR #​33353, @​aanm)
• build-images-base: push to branch if pull request ref doesn't exist (Backport PR #​33378, Upstream PR #​33368, @​aanm)
• build-images: fetch artifacts with specific pattern (Backport PR #​33378, Upstream PR #​33216, @​aanm)
• chore(deps): update all github action dependencies (v1.15) (#​33177, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​33338, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​33492, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33175, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33337, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33571, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.11 (v1.15) (#​33650, @​cilium-renovate[bot])
• chore(deps): update cilium/scale-tests-action digest to 511e3d9 (v1.15) (#​33208, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.10 (v1.15) (#​32990, @​cilium-renovate[bot])
• chore(deps): update dependency eksctl-io/eksctl to v0.182.0 (v1.15) (#​32991, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to 2eb85b8 (v1.15) (#​33174, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to b405b62 (v1.15) (#​33336, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.12 docker digest to 488f80a (v1.15) (#​33660, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v5.4.0 (v1.15) (#​33018, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v6 (v1.15) (#​33198, @​cilium-renovate[bot])
• chore(deps): update go to v1.21.12 (v1.15) (#​33539, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33003, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33176, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33301, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33657, @​cilium-renovate[bot])
• daemon: Allow DNS transparent mode to be turned off with encryption (Backport PR #​33631, Upstream PR #​33420, @​gandro)
• docs: Improve note on kube-apiserver entity limitations (Backport PR #​33529, Upstream PR #​33382, @​gandro)
• docs: ipsec: mention dependency on transparent mode for DNS proxy (Backport PR #​33098, Upstream PR #​33062, @​julianwiedmann)
• Documentation: accept ORG and REPO (Backport PR #​33631, Upstream PR #​33514, @​aanm)
• examples: Fix subject selector in ingress policy (Backport PR #​33378, Upstream PR #​33292, @​joestringer)
• Fix renovate's concurrency group (Backport PR #​33559, Upstream PR #​33528, @​aanm)
• images: update cilium-{runtime,builder} (#​33714, @​aanm)
• Increase usability of Makefile.override (Backport PR #​33098, Upstream PR #​32660, @​learnitall)
• install/kubernetes: update nodeinit image to latest version (Backport PR #​33529, Upstream PR #​33427, @​marseel)
• ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (Backport PR #​33152, Upstream PR #​33120, @​squeed)
• LRP: Misc fix-ups (Backport PR #​33529, Upstream PR #​33442, @​aditighag)
• Miscellaneous fixes in the usage of Makefile.override and build modifiers (Backport PR #​33098, Upstream PR #​33129, @​giorio94)
• Miscellaneous improvements to clustermesh-related troubleshooting tools (Backport PR #​33378, Upstream PR #​32951, @​giorio94)
• Remove release scripts (Backport PR #​33010, Upstream PR #​32938, @​aanm)
• Renovate changes (Backport PR #​33559, Upstream PR #​33519, @​aanm)
• renovate: add auto-approve bot for renovate PRs (Backport PR #​33642, Upstream PR #​33604, @​aanm)

Other Changes:

• (v1.15) Add permissions to read generated SBOMs (#​33059, @​ferozsalam)
• [v1.15] bpf: ct: return actual error from CT lookup (fixup) (#​33484, @​julianwiedmann)
• [v1.15] gh/workflows: fix skipping of no-frag test in ipsec-e2e workflow (#​33671, @​julianwiedmann)
• Bump GoBGP to v3.27.0 (#​32993, @​YutaroHayakawa)
• envoy: Bump golang version to v1.22.5 (#​33555, @​sayboras)
• envoy: Update envoy 1.28.x to v1.28.5 (#​33483, @​sayboras)
• install: Update image digests for v1.15.6 (#​33015, @​qmonnet)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.7@​sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
quay.io/cilium/cilium:stable@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.7@​sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68
quay.io/cilium/clustermesh-apiserver:stable@sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68

docker-plugin

quay.io/cilium/docker-plugin:v1.15.7@​sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304
quay.io/cilium/docker-plugin:stable@sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304

hubble-relay

quay.io/cilium/hubble-relay:v1.15.7@​sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
quay.io/cilium/hubble-relay:stable@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.7@​sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329
quay.io/cilium/operator-alibabacloud:stable@sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329

operator-aws

quay.io/cilium/operator-aws:v1.15.7@​sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e
quay.io/cilium/operator-aws:stable@sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e

operator-azure

quay.io/cilium/operator-azure:v1.15.7@​sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b
quay.io/cilium/operator-azure:stable@sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b

operator-generic

quay.io/cilium/operator-generic:v1.15.7@​sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
quay.io/cilium/operator-generic:stable@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54

operator

quay.io/cilium/operator:v1.15.7@​sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341
quay.io/cilium/operator:stable@sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341

v1.15.6: 1.15.6

Compare Source

We are pleased to release Cilium v1.15.6 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️

Summary of Changes

Minor Changes:

• [v1.15] fqdn: Forward-compatibility with Cilium 1.16 FQDN identities (#​32872, @​gandro)
• Generate SBOMs using Syft instead of bom (Backport PR #​32691, Upstream PR #​32307, @​ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #​32748, Upstream PR #​32577, @​marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #​32568, Upstream PR #​32336, @​giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #​32882, Upstream PR #​32588, @​marseel)
• KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR #​32568, Upstream PR #​32156, @​giorio94)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #​32889, Upstream PR #​32860, @​aanm)
• [v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil (#​32649, @​pippolo84)
• Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR #​32500, Upstream PR #​32117, @​giorio94)
• bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR #​32691, Upstream PR #​32536, @​harsimran-pabla)
• Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR #​32889, Upstream PR #​32694, @​dswaffordcw)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #​32789, Upstream PR #​32725, @​gandro)
• egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR #​32778, Upstream PR #​32679, @​ysksuzuki)
• Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR #​32789, Upstream PR #​31671, @​foyerunix)
• Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR #​32691, Upstream PR #​32506, @​joamaki)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #​32691, Upstream PR #​32017, @​mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #​32691, Upstream PR #​32513, @​giorio94)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #​32691, Upstream PR #​32548, @​squeed)
• Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR #​32932, Upstream PR #​32683, @​jschwinger233)
• ingress: Set the default value for max_stream_timeout (Backport PR #​32889, Upstream PR #​31514, @​tskinn)
• Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR #​32802, Upstream PR #​32671, @​giorio94)
• ipsec: Safely delete Xfrm state (Backport PR #​32691, Upstream PR #​32450, @​jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #​32481, Upstream PR #​32367, @​sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #​32889, Upstream PR #​32338, @​stelucz)

CI Changes:

• CI: Add job name validation (Backport PR #​32500, Upstream PR #​32462, @​brlbil)
• ci: Filter supported versions of EKS (Backport PR #​32889, Upstream PR #​32304, @​marseel)
• ci: Filter supported versions of GKE (Backport PR #​32691, Upstream PR #​32302, @​marseel)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #​32691, Upstream PR #​32570, @​mhofstetter)
• ci: l4lb: restart docker-in-docker container on

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cilium-renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pkg/k8s/go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/cilium/client-go v0.27.2-fix
go: downloading k8s.io/apimachinery v0.29.2
go: downloading golang.org/x/sync v0.7.0
go: downloading k8s.io/apiextensions-apiserver v0.29.2
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading k8s.io/api v0.29.2
go: downloading k8s.io/api v0.31.0
go: github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned imports
	k8s.io/client-go/discovery imports
	k8s.io/client-go/kubernetes/scheme imports
	k8s.io/api/flowcontrol/v1alpha1: cannot find module providing package k8s.io/api/flowcontrol/v1alpha1

File name: undefined

Command failed: make codegen
go: downloading google.golang.org/grpc v1.59.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/stretchr/testify v1.8.4
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13
go: downloading github.com/golang/protobuf v1.5.3
go: downloading google.golang.org/grpc v1.64.0
go: downloading github.com/cilium/client-go v0.27.2-fix
go: downloading k8s.io/apimachinery v0.28.3
go: downloading k8s.io/code-generator v0.28.3
go: downloading github.com/cilium/controller-tools v0.6.2
go: downloading golang.org/x/sync v0.4.0
go: downloading k8s.io/apiextensions-apiserver v0.28.3
go: downloading github.com/google/go-cmp v0.5.9
go: downloading k8s.io/klog/v2 v2.100.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading k8s.io/api v0.28.3
go: downloading k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
go: downloading github.com/evanphx/json-patch v5.6.0+incompatible
go: downloading k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
go: downloading golang.org/x/time v0.3.0
go: downloading github.com/spf13/cobra v1.7.0
go: downloading github.com/go-logr/logr v1.2.4
go: downloading golang.org/x/oauth2 v0.10.0
go: downloading github.com/google/uuid v1.3.1
go: downloading golang.org/x/tools v0.13.0
go: downloading github.com/fatih/color v1.15.0
go: downloading k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4
go: downloading github.com/go-openapi/swag v0.22.4
go: downloading github.com/onsi/ginkgo/v2 v2.9.4
go: downloading github.com/mattn/go-isatty v0.0.17
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/go-openapi/jsonreference v0.20.2
go: downloading github.com/emicklei/go-restful/v3 v3.10.2
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading golang.org/x/mod v0.12.0
go: downloading k8s.io/apimachinery v0.29.2
go: downloading k8s.io/code-generator v0.29.2
go: downloading k8s.io/api v0.29.2
go: downloading golang.org/x/sync v0.7.0
go: downloading k8s.io/apiextensions-apiserver v0.29.2
go: finding module for package k8s.io/api/flowcontrol/v1alpha1
go: downloading k8s.io/api v0.31.0
go: github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned imports
	k8s.io/client-go/discovery imports
	k8s.io/client-go/kubernetes/scheme imports
	k8s.io/api/flowcontrol/v1alpha1: module k8s.io/api@latest found (v0.31.0), but does not contain package k8s.io/api/flowcontrol/v1alpha1
make[2]: *** [Makefile:47: vendor] Error 1
make[1]: *** [Makefile:211: vendor] Error 2
make: *** [Makefile:352: protogen] Error 2

File name: undefined

Command failed: make generate
go: finding module for package k8s.io/api/flowcontrol/v1alpha1
go: github.com/cilium/tetragon/pkg/k8s/client/clientset/versioned imports
	k8s.io/client-go/discovery imports
	k8s.io/client-go/kubernetes/scheme imports
	k8s.io/api/flowcontrol/v1alpha1: module k8s.io/api@latest found (v0.31.0), but does not contain package k8s.io/api/flowcontrol/v1alpha1
make[2]: *** [Makefile:47: vendor] Error 1
make[1]: *** [Makefile:211: vendor] Error 2
make: *** [Makefile:344: crds] Error 2

[cilium-renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.