Skip to content

Latest commit

 

History

History
1722 lines (1715 loc) · 164 KB

CHANGELOG.md

File metadata and controls

1722 lines (1715 loc) · 164 KB

Changelog

v1.16.0

Summary of Changes

Major Changes:

  • Add a readinessProbe to the kvstoremesh container that reports initial synchronization status to support configuring a separate, initial rate-limit to be used while synchronizing. Both clustermesh-apiserver and kvstoremesh now use a high initial rate-limit to decrease start time. (#30361, @thorn3r)
  • Add Kubernetes EndpointSlice synchronization from Cilium clustermesh (#28440, @MrFreezeex)
  • Add support for matching CiliumCIDRGroups in Egress policy rules (#30624, @chaunceyjiang)
  • api: Promote field_mask from experimental to stable, deprecating experimental option (#30133, @chancez)
  • BGP: New BGP APIs can be used to configure Cilium BGP Control Plane. (#32426, @harsimran-pabla)
  • bpf: introduce encrypted overlay datapath support (#31073, @ldelossa)
  • Cilium now supports Kubernetes Service TrafficDistribution. To access this feature, use --enable-service-topology when running Cilium. (#32678, @robscott)
  • Cilium now supports the Gateway API GAMMA initiative, allowing configuration of east-west Layer 7 interception using simpler resources. (#32744, @youngnick)
  • cilium: netkit support (#32429, @borkmann)
  • Deploy Envoy as a separate DaemonSet by default rather than running it inside the Cilium Pod (#30034, @sayboras)
  • identity: Allow nodes to be selectable by their labels instead of CIDR and/or remote-node entity. (#26924, @oblazek)
  • Improved performance for DNS lookups (up to 5x reduction in tail latency) when using ToFQDN policies. To avoid drops during upgrades in clusters with ToFQDN policies, it is highly recommended to run Cilium v1.15.6 or newer before upgrading to Cilium v1.16 (#32769, @gandro)
  • iptables: Add rules runtime reconciliation (#31372, @pippolo84)
  • k8s: Add support for Kubernetes 1.30.0 (#31687, @christarazi)
  • KVStoreMesh is now enabled by default in Clustermesh. (#32912, @marseel)
  • loader: attach programs using tcx (#30103, @rgo3)
  • multicast: add CLIs to manage multicast BPF maps (#31355, @harsimran-pabla)
  • NAT source port metrics & table (#32152, @tommyp1ckles)
  • policy/k8s: Add support for CIDRGroupRef in IngressDeny and EgressDeny (#30933, @pippolo84)
  • policy: Add support for port ranges in network policies. (#32807, @nathanjsweet)
  • policy: Add support to watch and read CNP files from directory (#32599, @tamilmani1989)
  • Promote local redirect policy (LRP) feature to stable. (#33032, @aditighag)
  • Support CEL expressions in hubble flow filters (#31070, @chancez)
  • This adds a new policy field, EnableDefaultDeny, which permits the creation of network polices that do not drop non-matching traffic. (#30572, @squeed)
  • This change introduces the BGP control-plane operator. (#28846, @harsimran-pabla)

Minor Changes:

  • "cilium-dbg map get ..." can now be called on BPF maps without cache (#31620, @AwesomePatrol)
  • Add "node-map-max" to allow configuring nodemap size. (#31407, @tommyp1ckles)
  • Add CiliumNodeConfig CRD on API v2 (#31721, @doniacld)
  • Add a description to the default GatewayClass. (#30041, @chaunceyjiang)
  • Add a new option to exclude unwanted k8s node labels from CiliumNode (#28290, @hemanthmalla)
  • Add a simple node IPAM to allow using LoadBalancer Service type on "uncontrolled" networks (#30038, @MrFreezeex)
  • Add cilium_lb_act BPF map with counters of opened and closed connections (#32584, @AwesomePatrol)
  • Add clustermesh hostname endpointslice synchronization (#31814, @MrFreezeex)
  • Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (#30635, @jdmcmahan)
  • Add flag --policy-accounting to enable/disable per-policy packet and byte accounting (default true) (#28749, @Jack-R-lantern)
  • Add helm values.schema.json file for validating supplied values for correct type. (#30631, @ubergesundheit)
  • Add Hubble metrics HTTP endpoint status metrics. Two metrics are introduced: hubble_metrics_http_handler_requests_total, which counts requests made to the endpoint, grouped by HTTP status code, and hubble_metrics_http_handler_request_duration_seconds, also grouped by HTTP status code, which tracks duration of requests made to the endpoint. (#30648, @siwiutki)
  • Add kubernetes validations to ensure CiliumLocalRedirectPolicy fields are immutable as policy updates are not supported. (Backport PR #33804, Upstream PR #33640, @chaunceyjiang)
  • Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (#30972, @ti-mo)
  • Add metrics count for dir=CT_SERVICE and disable conntrack metrics by default (#27527, @wenlxie)
  • Add option to automatically discover k8sServiceHost and k8sServicePort info (kubeadm clusters only) (#31885, @kreeuwijk)
  • Add option to disable ExternalIP mitigation (CVE-2020-8554). (#31513, @kvaster)
  • add readinessProbe to clustermesh-apiserver indicating kvstore sync status (#29643, @thorn3r)
  • Add ServiceImport support in Cilium Gateway API (#28769, @MrFreezeex)
  • Add support for ClusterIP service advertisement with BGP Control Plane (#30963, @chaunceyjiang)
  • Add support for deploying clustermesh-apiserver with multiple replicas for high availability. (#31677, @thorn3r)
  • Add support for ExternalIP service advertisement with BGP Control Plane (#31245, @chaunceyjiang)
  • Add support for the cni.cilium.io/mac-address annotation on Pod resources to control the L2 address used for Pod communication. (#29360, @chaunceyjiang)
  • Added a new annotation ingress.cilium.io/loadbalancer-class to control the LoadBalancerClass of a dedicated LB via the ingress. (#31650, @Sh4d1)
  • Added source pod metadata to generated L7 DNS visibility policies. (#32166, @nebril)
  • Adds "aws-enable-ipv6-prefix-delegation" operator option for configuring AWS ENI IPv6 prefix delegation. (#31145, @danehans)
  • Adds IPv6Pool field to the spec of CiliumNodes CRD to list of IPv6 addresses available to the node for allocation. Adds IPv6Used field to the status of CiliumNodes CRD to list all IPv6 addresses from ciliumnodes.spec.ipam.ipv6pool which have been allocated and are in use. (#31143, @danehans)
  • Adds service_implementation_delay metric accounting the duration in seconds to propagate the data plane programming of a service, its network and endpoints from the time the service or the service pod was changed excluding the event queue latency (#32055, @ovidiutirla)
  • agent: Add EnableRouteMTUForCNIChaining to propagate MTU to pods when CNI chaning is used (#33190, @brb)
  • agent: add several new flags to control Cilium's datapath events notifications (#30063, @mvisonneau)
  • Allow configuring RAM-backed clustermesh-apiserver's etcd storage for improved performance in high-scale/high-churn environments (#32823, @giorio94)
  • Allow the Host Firewall and IPv6 BPF masquerading to be used together. (#31511, @qmonnet)
  • Allows for using AWS SGs in the ingress section of rules. (#30708, @Alex-Waring)
  • api/cli: Encryption status now includes rendering IPsec status in JSON. (#30167, @viktor-kurchenko)
  • Attach hubble packet drop events on egress to source pod (Backport PR #33981, Upstream PR #33296, @hemanthmalla)
  • BGPv1 and BGPv2 - Reject all inbound BGP advertisements (#33035, @dswaffordcw)
  • bgpv1: Add Local internalTrafficPolicy support for ClusterIP advertisements (#31442, @chaunceyjiang)
  • bgpv1: Allow specifying well-known BGP standard communities using their names (#30440, @rastislavs)
  • bgpv1: BGP Control Plane metrics (#31469, @YutaroHayakawa)
  • bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (#30033, @rastislavs)
  • bgpv2 - adding preflight and neighbor reconciler using CiliumBGPNodeConfig resource. (#30108, @harsimran-pabla)
  • bgpv2: Fix defaulting of BGP peer config, use the default peer config only when PeerConfigRef is not specified in CiliumBGPClusterConfig. (#33392, @rastislavs)
  • bpf, ctmap: Implement map pressure metric for CT maps (#28183, @christarazi)
  • bpf: allow policy verdict notifications in bpf_host (#32934, @jibi)
  • bpf: do not invoke llc from Makefiles (#29459, @lmb)
  • bpf: WireGuard: detect tunnel traffic in native-routing mode (#31586, @julianwiedmann)
  • bpf: xdp: use bpf_xdp_get_buff_len() when available (#29472, @julianwiedmann)
  • bugtool: Collect hubble metrics (#31533, @chancez)
  • Change default CiliumLoadBalancerIPPool behavior and remove deprecated cidrs field from CiliumLoadBalancerIPPool (#33151, @dylandreimerink)
  • Change default Clustermesh control plane upgrade strategy to use surge strategy (#32999, @marseel)
  • Change Node IPAM to select all nodes if externalTrafficPolicy=Cluster and add nodeipam.cilium.io/match-node-labels annotation (#31406, @MrFreezeex)
  • Check sysctl values before writes to avoid errors on potentially read-only filesystem (#30519, @chaunceyjiang)
  • chore: Bump spire agent and server versions (#33136, @sayboras)
  • Cilium Network Policy can now redirect to different listeners on the same destination port depending on the destination. (#28555, @jrajahalme)
  • Cilium should accepts any value that is not "disabled" for svc topology mode (#30113, @BSWANG)
  • Cilium-agent option --endpoint-status and helm option endpointStatus were removed. (#30761, @marseel)
  • cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (#29963, @joamaki)
  • cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (#32119, @jrajahalme)
  • CiliumEnvoyConfig CRDs now support an optional 'ports' field in services objects, limiting the redirected service frontends to the ones whose port is listed. (#32382, @jrajahalme)
  • ciliumenvoyconfig: introduce NodeSelector (#30470, @mhofstetter)
  • CiliumNetworkPolicies are now validated by the operator and the result set in the object's Status field. (#32727, @squeed)
  • cleanup: Remove cilium_isitio sidecar configuration (#30130, @sayboras)
  • cleanup: Remove deprecated values for KPR (#31286, @sayboras)
  • cni: use default logger with timestamps. (#31014, @tommyp1ckles)
  • Configure restrictive security contexts by default for clustermesh-apiserver containers (#31540, @giorio94)
  • daemon: Do not require NodePort for WireGuard (#32249, @brb)
  • datapath: Add support for skipping direct routes on different L2 networks (#32733, @jleeh)
  • datapath: Move WG skb mark check to to-netdev (#31751, @brb)
  • Do not include the unnecessary "localhost" SAN in autogenerated clustermesh admin certificates (#32662, @giorio94)
  • docs: Deprecate support for podnetwork etcd (#33030, @joestringer)
  • egressgw: remove deprecated install-egress-gateway-routes option (#32105, @julianwiedmann)
  • EGW NAT Stats Troubleshooting & EGW Docs Structure Improvements (Backport PR #33804, Upstream PR #33416, @tommyp1ckles)
  • Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (#28723, @julianwiedmann)
  • Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (#30126, @youngnick)
  • envoy: Add support for exposing Envoy Admin API (#30655, @sayboras)
  • envoy: Bump envoy image for golang 1.22.2 (#31774, @sayboras)
  • envoy: Bump envoy minor version to v1.28.0 (#29820, @sayboras)
  • envoy: Bump envoy minor version to v1.29.x (#31571, @sayboras)
  • envoy: Bump envoy version to v1.28.1 (#30697, @sayboras)
  • envoy: Bump envoy version to v1.28.2 (#31810, @sayboras)
  • envoy: Bump envoy version to v1.29.5 (#32915, @sayboras)
  • envoy: Enable DaemonSet only for new installation (#33384, @sayboras)
  • envoy: Update envoy 1.29.x to v1.29.4 (#32137, @sayboras)
  • envoy: update envoy 1.29.x to v1.29.6 (main) (#33406, @sayboras)
  • envoy: Update envoy 1.29.x to v1.29.7 (Backport PR #33630, Upstream PR #33486, @sayboras)
  • etcd, clustermesh: generalize and untangle the custom dialer logic for automatic DNS name to service ClusterIP translation (#32916, @giorio94)
  • Expose bpf_map_pressure metric for egress_gw_policy_v4 (#29943, @ysksuzuki)
  • Expose clustermesh-apiserver version through a dedicated command, and as part of logs (#32165, @giorio94)
  • externalTrafficPolicy support for Cilium Ingress and GatewayAPI (#32873, @PhilipSchmid)
  • Feat add nodePort.addresses value to set nodeport-addresses in the cilium configmap (#31672, @eyenx)
  • feat: Add the http return code to metric api_processed_total (#31227, @vipul-21)
  • Fix LRP error cases where node-local redirection was erroneously skipped. Extend LRP spec in order for users to explicitly skip node-local redirection from LRP selected backend pods. (#26144, @aditighag)
  • Fixes a rare cause of policy drops on first endpoint regeneration. (#32914, @squeed)
  • Forcefully terminate stale connections in pod network namespaces that are connected to deleted service backends when socket-lb is enabled, and allow pod applications to re-connect to active backends. (Backport PR #33941, Upstream PR #33459, @aditighag)
  • Forcefully terminate stale sockets in the host netns connected to deleted LRP backends when socket-lb is enabled, and allow applications to re-connect to active LRP backends. (#32074, @aditighag)
  • Formally define and validate the cluster name format (#32641, @giorio94)
  • fqdn: avoid expensive sort/unique of names during GC (#30920, @tklauser)
  • Gateway API BackendRef filters support (#30090, @chaunceyjiang)
  • gateway-api: Add support for proxy protocol (#30567, @chaunceyjiang)
  • gateway-api: ALPN support (#32486, @rauanmayemir)
  • gateway-api: appProtocol support (GEP-1911) (#31310, @rauanmayemir)
  • gateway-api: Bump to latest version from upstream (#31005, @sayboras)
  • gateway-api: Bump to version v1.1.0 (#32233, @sayboras)
  • gateway-api: Sync up with upstream (#31806, @sayboras)
  • GatewayAPI supports to setting the number of trusted loadbalancer hops (#30662, @chaunceyjiang)
  • Generate SBOMs using Syft instead of bom (#32307, @ferozsalam)
  • helm: Add extraVolumeMounts to cilium config init container (#30131, @ayuspin)
  • Helm: Add new value `.Values.clustermesh.apiserver.tls.enableSecrets. Setting this value to false will disable the creation of TLS certificate secrets for clustermesh, enabling out-of-band TLS certificate secret management. (#32196, @soggiest)
  • helm: Add possibility to control creation of GatewayClass (Backport PR #33630, Upstream PR #33446, @balous)
  • helm: Allow configuration of Envoy --base-id for Envoy DaemonSet (#30466, @cpu601)
  • helm: Bump minimum k8s version to v1.21+ (#31648, @sayboras)
  • helm: Cleanup old k8s version check and deprecated atributes (#31940, @sayboras)
  • helm: ensure that envoy daemonset is installed only when needed (#33431, @f1ko)
  • helm: loadBalancerClass for Cluster Mesh APIserver (#33033, @PhilipSchmid)
  • Helm: possibility to install operator as standalone app (#32019, @balous)
  • helm: Remove deprecated flags proxy.prometheus.{enabled,port} (#30598, @sayboras)
  • helm: Remove deprecated option containerRuntime.integration (#31942, @sayboras)
  • helm: Remove deprecated values encryption.* (#30613, @sayboras)
  • Hubble now has an option to emit v1.Events related to pods on detection of packet drops. (#29565, @robinelfrink)
  • Hubble peer's port number is inferred from the agent's configuration instead of assuming defaults (#32729, @AwesomePatrol)
  • hubble/correlation: Support deny policies (#31544, @gandro)
  • Hubble: add possibility to export flows to container logs (#31422, @siegmund-heiss-ich)
  • hubble: add SNAT IP flow field and filter (#32130, @kaworu)
  • hubble: add support to filter Hubble flow by network interface. (#32286, @kaworu)
  • hubble: add the cluster name to a flow's source and destination endpoints (#32313, @rolinh)
  • hubble: add trace reason support in hubble flows (#31226, @kaworu)
  • hubble: node labels (#32851, @kaworu)
  • hubble: support drop_reason_desc in flow filter (#32135, @chaunceyjiang)
  • ICMP: Introduce ICMP type name in ICMPField (#30330, @Shunpoco)
  • Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (#32577, @marseel)
  • Increase the minimum required kernel version to v5.4 / RHEL 8.6. (#30869, @lmb)
  • ingress/gateway-api: expose listeners on host network (#30840, @mhofstetter)
  • ingress: Add check for kpr and nodeport (#30592, @sayboras)
  • ingress: Allow strict kube-proxy-replacement (#31284, @sayboras)
  • ingress: request timeout control via operator flag & annotation (#31693, @a5r0n)
  • ingress: Support headless service (#32644, @sayboras)
  • install/kubernetes: add extraInitContainers (#32245, @bewing)
  • Introduce --force-device-detection option to apply the auto-detection criteria also when devices are explicitly listed with --devices. (#32730, @kvaps)
  • Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (#31159, @pchaigno)
  • Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (#32336, @giorio94)
  • Introduce granular etcd permissions to access KVstoreMesh cached data (#33082, @giorio94)
  • ipsec: Deprecate global IPsec keys (Backport PR #33630, Upstream PR #33504, @pchaigno)
  • ipsec: Improve CPU usage of cilum-agent in large clusters (#32588, @marseel)
  • ipset: Rework the reconciler to use batch ops (#31638, @pippolo84)
  • k8s: improve user facing error logging for k8s decode errors. (#33245, @tommyp1ckles)
  • KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (#32156, @giorio94)
  • labels: Add controller-uid into default ignore list (#31964, @sayboras)
  • labelsfilter: Always apply Cluster entity specific identity-relevant label (#31178, @soggiest)
  • lb-ipam: Add annotation alias with lbipam.cilium.io prefix (#30169, @sayboras)
  • lbipam: allow cross namespace IP sharing (#30055, @rissson)
  • loader: Significantly reduce memory usage during endpoint regeneration (#32059, @lmb)
  • Make endpointslice clustermesh syncing opt-out for headless services (#32021, @MrFreezeex)
  • Make hubble-relay more resilient to transient errors (Backport PR #33981, Upstream PR #33894, @chancez)
  • Make the overwriting behavior of install-plugins.sh configurable. (#32016, @jingyuanliang)
  • More validation has been added to the CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy CRDs. Policies that may have been ignored by the Cilium agent will now be rejected by the Kubernetes API server. (#32814, @squeed)
  • NodePort service frontends are now automatically updated when node's IP addresses change. This may have an impact to NodePort services manually added via the cilium-dbg tool if the used frontend IP is not assigned on the node. (#30374, @joamaki)
  • Only detach Cilium-owned legacy XDP programs when XDP is disabled (#31654, @ti-mo)
  • Operator: expose remote clusters information through dedicated CLI command, and introduce troubleshoot commands (#32436, @giorio94)
  • pkg/healthv2: reduce unecessary healthv2 debug log volume. (#32319, @tommyp1ckles)
  • pkg/kvstore/allocator: Standardize usage of logfields (#30526, @antonipp)
  • policy: Do not select any identity with empty slices (#29608, @pippolo84)
  • Remove etcd.managed Helm setting (#32921, @joestringer)
  • Remove helm option enable-remote-node-identity after being deprecated in v1.15. (#31228, @doniacld)
  • Removed cilium-agent permissions to update CiliumNetworkPolicy and CiliumClusterWideNetworkPolicy statuses (#33228, @marseel)
  • Rename the cilium cleanup command to post-uninstall-cleanup (#30471, @littlejo)
  • Report estimated expiry timers for connection-based FQDN entries (#32013, @joestringer)
  • Restore health IPs from local ciliumnode resource (#30383, @haozhangami)
  • Runtime device detection and subsequent datapath reconfiguration is now the default and only mode of operation. The enableRuntimeDeviceDetection option is now a no-op and will be removed in v1.17. (#32153, @joamaki)
  • Service connections that use Direct-Server-Return and were established prior to Cilium v1.13.3 will be disrupted, and need to be re-established. (#32642, @julianwiedmann)
  • Simplify rate limit configuration options for the CiliumEndpointSlice controller. (#32523, @thorn3r)
  • Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (#31082, @julianwiedmann)
  • Starting cilium-agent with large numbers of network policies should be much faster. (#32703, @squeed)
  • StateDB based Health (#30925, @tommyp1ckles)
  • Support ingress.cilium.io/force-https annotation (functionally equivalent to nginx.ingress.kubernetes.io/force-ssl-redirect) (#30616, @youngnick)
  • Support configuring TLS for hubble metrics server (#31973, @chancez)
  • Support Egress Gateway for endpoints that are also selected by a L7 Network Policy. (#32828, @ysksuzuki)
  • Support IPv4 fragmentation for service backends. (#31364, @julianwiedmann)
  • Supports for dynamic CES Controller throttling configuration based on the number of nodes (#29861, @alan-kut)
  • Switch the RBAC used for hubble certificate generation in cronJob mode to namespace-scoped. (#33027, @giorio94)
  • The StateDB in-memory database library was switched to github.com/cilium/statedb with a new much faster radix tree implementation. This is used internally in the cilium-agent for storing and accessing, among others, the network devices and local node IP addresses. This state can be inspected with the "cilium-dbg statedb" commands. cilium-dbg: Added "statedb ipsets" command cilium-dbg: "statedb sysctl-settings" is now "statedb sysctl" (#32125, @joamaki)
  • This allows the initialDelaySeconds option to be configured. This allows users running larger clusters to extend the time it takes for preflight to become ready. (#30495, @chaunceyjiang)
  • Trim clustermesh-apiserver ClusterRole permissions when external workloads support is disabled (#30743, @giorio94)
  • ui: release v0.13.0 (#30711, @geakstr)
  • ui: v0.13.1 release (#32852, @geakstr)
  • Unconditionally require the clustermesh cluster configuration to be always present (#32505, @giorio94)
  • Update deprecated Prometheus Metrics (#30632, @karojohn)
  • WG: Improve L7 checks (#31299, @brb)
  • When upgrading, users can experience a change to their configuration if they were overriding the k8s-heartbeat-timeout flag. K8s client timeout and keep alive are no longer getting values from the k8s-heartbeat-timeout flag, but have default values (30 seconds). (#32625, @dlapcevic)
  • WireGuard: Deprecate userspace fallback (#31867, @gandro)

Bugfixes:

  • .github/workflows: fix digests file creation (#32860, @aanm)
  • Add default toleration for SPIRE agent on control plane nodes (#28947, @meyskens)
  • Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (#32117, @giorio94)
  • Add specific drop reason for missing tail calls if the host datapath is not ready yet (#29482, @ti-mo)
  • add support for validation of stringToString values in ConfigMap (Backport PR #33846, Upstream PR #33779, @alex-berger)
  • Agent: add kubeconfigPath to initContainers (#32008, @darox)
  • Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (#30299, @rgo3)
  • auth: fix fatal error: concurrent map iteration and map write (Backport PR #33804, Upstream PR #33634, @chaunceyjiang)
  • Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (#31820, @julianwiedmann)
  • Avoid panic during BPF program compilation when clang command fails to start (#30009, @ti-mo)
  • Avoid race during RevSNAT mapping creation, resulting in packet drop with "No mapping for NAT masquerade". (#33115, @lmb)
  • Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (#32155, @julianwiedmann)
  • Bandwidth limits are now enforced also for network devices added after Cilium agent has started (e.g. for new ENI devices). (#30419, @joamaki)
  • bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (#32536, @harsimran-pabla)
  • bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (#29954, @rastislavs)
  • bgpv1: reorder neighbor creation and deletion steps (#33262, @harsimran-pabla)
  • bgpv2: use peer asn and address in the key (#33263, @harsimran-pabla)
  • bpf: fix wrong loopback address mask value (#29946, @haiyuewa)
  • bpf: rename UINT8_MAX to UINT16_max and fix cluster_id casts (#33240, @thorn3r)
  • bpf: use bpf_htons instead of using shift (#31247, @chez-shanpu)
  • cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #33804, Upstream PR #33616, @mrproliu)
  • Cilium allows selecting 'lo' as a device again. (#31200, @bimmlerd)
  • Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (#32694, @dswaffordcw)
  • Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (#29239, @jrajahalme)
  • Cilium dnsproxy now retries forwarded request id allocation before failing for a duplicate request id. (#32870, @jrajahalme)
  • Cilium now correctly handles the case when a to/fromCIDRSet policy only contains a cidrGroupRef to a non-existent cidrGroup by denying traffic. (#33396, @bimmlerd)
  • Cilium restart now waits for Envoy resources to stabilize on restart before serving them to daemonset Envoy, reducing policy churn. (#32824, @jrajahalme)
  • cilium-agent: Fix crash due to skipped resource cleanup when agent is stopping due to failed start. (#32673, @joamaki)
  • cilium-cni: Reserve ports that can conflict with transparent DNS proxy (#32128, @gandro)
  • cilium-health: Fix broken retry loop in cilium-health-ep controller (#31622, @gandro)
  • cni: Allow text-ts log format value (#31686, @sayboras)
  • cni: Reserve local ports for DNS proxy even if IPv6 is disabled (#32725, @gandro)
  • cni: Use batch endpoint deletion API in chaining plugin (#31456, @sayboras)
  • cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (#32244, @learnitall)
  • Correctly remove data cached by KVStoreMesh for a given cluster when disconnecting from such cluster (Backport PR #33630, Upstream PR #33153, @giorio94)
  • ctmap: Stop GC handler if signal map is closed (#33281, @gandro)
  • daemon/cmd: Updates restoreIPCache() to use errors.Is() (#30220, @danehans)
  • daemon: Fail init if requirements for BPF masquerade are not met (#29778, @pippolo84)
  • daemon: Run conntrack GC after Endpoint Restore (#32012, @joestringer)
  • Datapath conntrack entries for reopened connections are fully reinitialized to fix rare L7 proxy redirect failures. (#32653, @jrajahalme)
  • datapath: Fix redirect from from L3 netdev to tunnel (#33421, @brb)
  • Datasource error fixed for Hubble DNS and Network dashboards (#30580, @Pionerd)
  • DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #33804, Upstream PR #33592, @gandro)
  • dnsproxy: Fix bug where DNS request timed out too soon (#31999, @gandro)
  • Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (#29400, @meyskens)
  • Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (#29917, @bimmlerd)
  • egress-gateway: Validate ep identity before fetching labels (#33311, @pippolo84)
  • egressgw: Let the EGW manager relax rp_filter on egress device (#32679, @ysksuzuki)
  • endpoint: fix inability to create endpoint with labels in a single API call (#30170, @oblazek)
  • Envoy now reopens ipcache on agent restart and avoids upstream bind errors on concurrent access to a destination. (#32864, @jrajahalme)
  • Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (#32270, @jrajahalme)
  • envoy: Avoid duplicated upstream callback (#30945, @sayboras)
  • envoy: Avoid short circuit backend filtering (Backport PR #33630, Upstream PR #33403, @sayboras)
  • envoy: Bump envoy image to include proxy_protocol filter (#30260, @sayboras)
  • envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (#30543, @chaunceyjiang)
  • envoy: Fix data race in RegisterServiceUsageInCEC (Backport PR #33941, Upstream PR #33903, @chaunceyjiang)
  • envoy: fix SO_REUSEPORT with BPF TPROXY (#30397, @mhofstetter)
  • envoy: pass idle timeout configuration option to cilium configmap (#32203, @mhofstetter)
  • envoy: register secret syncer even if only CEC is enabled (#31447, @mhofstetter)
  • Fix #32587 concurrent hubble dynamic exporter stop and reload (#33000, @marqc)
  • Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (#31164, @joamaki)
  • Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and --devices provided. (#31345, @pchaigno)
  • Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (#29986, @qmonnet)
  • Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (#31395, @tklauser)
  • Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (#30248, @ti-mo)
  • Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started. Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #33817, Upstream PR #33629, @joamaki)
  • Fix an issue where cilium is unable to allocate IP addresses when it is running on newly launched AWS instances (#30308, @AnishShah)
  • Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (#29616, @learnitall)
  • Fix azure ipam flake caused by instance resync race condition. (#31580, @tommyp1ckles)
  • Fix bpf_sock compilation for ipv6-only (#30553, @alexferenets)
  • Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (#30762, @dylandreimerink)
  • Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (#31039, @joestringer)
  • Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (#30909, @aanm)
  • Fix bug that caused all nodes to report false errors when L2 Neighbor Discovery was enabled (#32890, @thorn3r)
  • Fix bug that could cause IPsec route change failures to be silent. (#29423, @derailed)
  • Fix bug where setting the k8sNetworkPolicy Helm value to false did not take effect (#32441, @hasan-alkama)
  • Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (#29745, @thorn3r)
  • Fix Cilium default values for EKS when Cilium clustermesh-apiserver LoadBalancer fails to create NLB with AWS Load Balancer Controller with syntax error. (#31329, @oshangalwaduge)
  • Fix CiliumEnvoyConfig Nodeport handling (#33040, @youngnick)
  • Fix CNP/CCNP update when selectors change from nil to empty non-nil slices (Backport PR #33804, Upstream PR #33506, @pippolo84)
  • Fix configuration generated from Helm values for hubble-drop-events-reasons to use a whitespace item separator (Backport PR #33804, Upstream PR #33699, @EricMountain)
  • Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (#31671, @foyerunix)
  • fix edge case in node addressing logic which could result in a panic (#30757, @dylandreimerink)
  • Fix error when using multiple allowRoutes namespaces in gateway (#30100, @chaunceyjiang)
  • Fix failing service connections, when the service requests are transported via cilium's overlay network. (#32116, @julianwiedmann)
  • Fix GC interval calculation by taking into account the actual time passed between GC runs. (#28657, @gentoo-root)
  • Fix host firewall policy enforcement for pod to node traffic when tunneling is enabled and KPR is disabled (#30818, @giorio94)
  • Fix Hubble label selector parsing for labels with dots (#30411, @glrf)
  • Fix hubble metrics leak by using CiliumEndpoint watcher to remove stale metrics. (#33260, @sgargan)
  • Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (#31781, @giorio94)
  • Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (#32506, @joamaki)
  • Fix instances of leaked health reporter updates. (#30134, @tommyp1ckles)
  • Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (#31539, @giorio94)
  • Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (#29460, @tommyp1ckles)
  • Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (#30399, @tlcowling)
  • Fix nodeipam cell not registered (#30250, @MrFreezeex)
  • Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (#29581, @xyz-li)
  • Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (#30329, @3u13r)
  • Fix PromQL query in Cilium Metrics dashboard (#32017, @mikemykhaylov)
  • Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (#30282, @giorio94)
  • Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (#32513, @giorio94)
  • Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #33804, Upstream PR #33735, @giorio94)
  • Fix rare spurious double reconnection upon clustermesh configuration change for remote cluster (#33248, @giorio94)
  • Fix release build SBOM generation (#33070, @ferozsalam)
  • Fix selecting of endpoints by namespace labels in network policies (#30650, @Mugenor)
  • Fix service connection to terminating backend, when the service has no more backends available. (#31840, @julianwiedmann)
  • Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (#32239, @thorn3r)
  • Fix the logic of the api-server connectivity check for the kubernetes probe (#31019, @tkna)
  • Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (#30766, @pippolo84)
  • Fix too many open Unix sockets (Backport PR #33630, Upstream PR #33569, @chaunceyjiang)
  • Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (#31605, @christarazi)
  • fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (#31104, @tamilmani1989)
  • fix: PromQL syntax on cilium policy query Grafana dashboard (#29938, @M0NsTeRRR)
  • Fixed a bug where endpoint could become stuck due to outdated revision numbers during concurrent updates. (#32817, @ovidiutirla)
  • Fixed a race condition in service updates for L7 LB. (#31744, @jrajahalme)
  • Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (#30504, @marseel)
  • Fixed issue when updated nodes were being reported with unknown connectivity status in health report (#30917, @marseel)
  • Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (#31380, @marseel)
  • Fixes a bug where Cilium in chained mode removed the agent-not-ready taint too early if the primary network is slow in deploying. (#32168, @squeed)
  • Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (#31205, @squeed)
  • Fixes a missing rev-DNAT issue when wireguard, nodeport, KPR, and L7 proxy are enabled together. (Backport PR #33804, Upstream PR #33426, @jschwinger233)
  • Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #33630, Upstream PR #33511, @skmatti)
  • Fixes a route installing issue which may cause troubles for cilium downgrade. (#31716, @jschwinger233)
  • Fixes accidentally ignoring the preflight.nodeSelector Helm value. (#32548, @squeed)
  • Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (#30548, @squeed)
  • Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (#30837, @jschwinger233)
  • Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (#29594, @jschwinger233)
  • Fixes proxy issues in egress direction (#30095, @jschwinger233)
  • Fixes some valid GC entries being removed at agent restart (#29696, @rsafonseca)
  • Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (#32683, @jschwinger233)
  • fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (#31959, @marseel)
  • fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. (#31784, @nathanjsweet)
  • fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (#31328, @nathanjsweet)
  • gateway-api: Check for matching controller name (#33050, @sayboras)
  • gateway-api: Correct the null check for GRPRRoute Match (#31052, @sayboras)
  • gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (#30686, @cjvirtucio87)
  • gateway-api: fix status reconcile error handling (#29894, @mhofstetter)
  • gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (#31361, @chaunceyjiang)
  • gateway-api: Requeue Gateway for owning GRPCRoute (#30124, @sayboras)
  • gateway-api: Retrieve LB service from same namespace (#31271, @sayboras)
  • gateway-api: shorten the length of the value of the svc's label. (#31292, @chaunceyjiang)
  • gateway-api: Un-set externalTrafficPolicy on LB service for host network (#33101, @otaconix)
  • gateway: Add GRPCRoute support for status changed predicate (#30176, @sayboras)
  • Handle InvalidParameterValue as well for PD fallback (#31016, @hemanthmalla)
  • helm: Decouple sysctlfix from cgroup.autoMount (#32866, @YutaroHayakawa)
  • helm: Fix Prometheus metrics annotations for Hubble Relay (#30501, @chaunceyjiang)
  • helm: Probe Envoy DaemonSet localhost IP directly (#30970, @iandrewt)
  • helm: remove CriticalAddonsOnly toleration in preflight DaemonSet (#32682, @HongChenTW)
  • helm: remove duplicate metrics for Envoy pod (Backport PR #33846, Upstream PR #33803, @mhofstetter)
  • helm: Update pod affinity for cilium-envoy (#31150, @sayboras)
  • hive: Fix start hook log output (#30712, @joamaki)
  • hubble/relay: Fix certificate reloading in PeerManager (#31376, @glrf)
  • hubble: fix parsing of invalid HTTP URLs (#31100, @kaworu)
  • Hubble: fix traffic direction and is reply when IPSec is enabled (#31211, @kaworu)
  • If source address is remote node then we should treat it as ouside traffic. (#30240, @kvaster)
  • Ignore CiliumIdentity delete conflicts during the gc run (by skipping deletion and emitting a warning), allowing gc to continue if a subset of identities are conflicted. Prior to this change conflicts would cause gc to error, which could lead to an unexpected accumulation of stale CiliumIdentity objects. (#33143, @JacobHenner)
  • Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (#31646, @mhofstetter)
  • ingress/gateway-api: sort virtual hosts in CEC (#31493, @mhofstetter)
  • ingress/gateway-api: stable envoy listener filterchain sort-order (#31572, @mhofstetter)
  • ingress: Set active backend number for Local ETP (Backport PR #33846, Upstream PR #33600, @sayboras)
  • ingress: Set the default value for max_stream_timeout (#31514, @tskinn)
  • init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (#30052, @yingnanzhang666)
  • Introduce fromEgressProxyRule (#31923, @jschwinger233)
  • Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (#32671, @giorio94)
  • ipam: retry netlink.LinkList call when setting up ENI devices (#32099, @jasonaliyetti)
  • ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport PR #33630, Upstream PR #33512, @jasonaliyetti)
  • ipsec: Safely delete Xfrm state (#32450, @jschwinger233)
  • iptables: Explicitly wait for iptables wrappers to be initialized (Backport PR #33941, Upstream PR #33867, @pippolo84)
  • iptables: Fix wait args race during startup (Backport PR #33941, Upstream PR #33824, @pippolo84)
  • iptables: Run an initial full reconciliation to avoid spurious startup errors (#33097, @pippolo84)
  • IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport PR #33630, Upstream PR #33448, @jrajahalme)
  • k8s/utils: correctly filter out labels in StripPodSpecialLabels (#31421, @tklauser)
  • L2 announcements retry getting lease after losing it (#30340, @dylandreimerink)
  • l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (#30107, @mhofstetter)
  • linux/node: reallocate nodeID upon conflict (Backport PR #33981, Upstream PR #33666, @bimmlerd)
  • loader: fix obsolete XDP program removal (#30163, @rgo3)
  • loader: sanitize bpffs directory strings for netdevs (#32090, @rgo3)
  • loader: work around race in ebpf.MapSpec.createMap (Backport PR #33981, Upstream PR #33882, @lmb)
  • maps/metricspath: protect against concurrent access in Collect (#30104, @buroa)
  • metric: Avoid memory leak/increase in cilium-agent (#31714, @sayboras)
  • metrics: Disable prometheus metrics by default (#31144, @joestringer)
  • node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (#30423, @gandro)
  • nodediscovery: Fix bug where CiliumInternalIP was flapping (#29964, @gandro)
  • Only read the relevant parts of secrets for originatingTLS (ca.crt) and terminatingTLS (tls.crt, tls.key) blocks in Cilium L7 policies. Fixes a bug where a ca.crt key in a secret passed to terminatingTLS incorrectly configures Envoy to require a client certificate on TLS connections from pods. Previous behavior can be restored with the --use-full-tls-context=true agent flag. (#31903, @JamesLaverack)
  • operator: fix errors/warnings metric. (#31214, @tommyp1ckles)
  • pkg/endpoint: fix endpoint health update always being ok. (#30365, @tommyp1ckles)
  • pkg/metrics: fix data race warning on metrics init hook. (Backport PR #33941, Upstream PR #33823, @tommyp1ckles)
  • pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (#30257, @danehans)
  • policy: Fix mapstate changes error in entry change comparison (#29815, @jrajahalme)
  • proxy: Re-enable proxy rule installation in native-routing mode for CEC (#32367, @sayboras)
  • Recreate CT entries for non-TCP to fix L7 proxy redirect failures. (#33222, @ysksuzuki)
  • Reduce conntrack lifetime for closing service connections. (Backport PR #33941, Upstream PR #33907, @julianwiedmann)
  • Remove a misplaces ls alias that caused cilium-dbg bpf auth ls to flush the map. (#30445, @meyskens)
  • Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (#32338, @stelucz)
  • Remove non fatal errors from SPIRE client in the operator (#28698, @meyskens)
  • Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #33630, Upstream PR #33551, @julianwiedmann)
  • Revert PR #32244 which caused unintended side-effects that negatively impacted network performance. (#33304, @learnitall)
  • Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #33804, Upstream PR #33306, @skmatti)
  • socketlb: tolerate cgroupv1 when detaching bpf programs (Backport PR #33630, Upstream PR #33599, @rgo3)
  • srv6: Fix packet drop with GSO type mismatch (#30732, @YutaroHayakawa)
  • statedb: Fix race between Observable and DB stopping (#30816, @joamaki)
  • tables: Sort node addresses also by public vs private IP (#30579, @joamaki)
  • The cilium agent now cleans up stale nodeID mappings and other node-related state on startup (Backport PR #33630, Upstream PR #33278, @bimmlerd)
  • Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (#29848, @joamaki)
  • Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport PR #33630, Upstream PR #33472, @jasonaliyetti)
  • Updated Kernel parsing to handle single and double digit kernel version as well (#30699, @MeherRushi)
  • Updating ENI prefix delegation fallback to use dedicated error codes (#30536, @hemanthmalla)
  • When the Bandwidth Manager feature is enabled, don't apply Egress rate-limiting to "Port unreachable" ICMP replies by Cilium's North-South Loadbalancer. (Backport PR #33630, Upstream PR #33624, @julianwiedmann)
  • xds: Avoid xds timeout due to agent restart in envoy DS mode (#31061, @sayboras)

CI Changes:

  • .github: Add permissions for workflow telemetry (#32410, @joestringer)
  • .github: Add workflow telemetry (#32037, @joestringer)
  • .github: Don't update LVH bpf-next images on stable branches (#29835, @joestringer)
  • .github: Fix LVH image bump for main branch (#30284, @joestringer)
  • .github: Pretty-print gateway API test results (#32039, @joestringer)
  • [Kind] ipfamily should be set by platform configuration. (#30332, @fujitatomoya)
  • [v1.16] ci: Add call backport label udpater workflow (#33759, @pippolo84)
  • Add dispatch for fqdn_perf test (#32762, @marseel)
  • Add dispatch for scale/perf workflows and notice (#33201, @marseel)
  • Add fqdn perf test (#32514, @marseel)
  • Add RHEL8 kernel to CI (#30421, @lmb)
  • Add WireGuard configurations to automated network throughput tests (#32134, @learnitall)
  • Additionally test host firewall + KPR disabled in E2E tests (#30914, @giorio94)
  • AKS: avoid overlapping pod and service CIDRs (#31504, @bimmlerd)
  • alibabacloud/eni: avoid racing node mgr in test (#31877, @bimmlerd)
  • Always update lvh in tandem with lvh-images (#30596, @lmb)
  • ariane: Fix detection of changes to nat46x64 tests (#32070, @joestringer)
  • bgpv1: avoid object tracker vs informer race (#31010, @bimmlerd)
  • bgpv1: fix Test_PodIPPoolAdvert flakiness (#31365, @rastislavs)
  • bgpv2/ci: added watch reactor for bgp cluster config (#31381, @harsimran-pabla)
  • bgpv2: use different ports in unit tests (#30528, @harsimran-pabla)
  • bpf, CI: Enable LRP connectivity tests (#32862, @aditighag)
  • bpf/tests: Add BPF_TEST_FILE to run a single test (#33407, @brb)
  • bpf: add test for encrypted overlay (#32627, @julianwiedmann)
  • bpf: Cover IPsec+KPR in complexity and compile tests (#32316, @pchaigno)
  • bpf: fix go testdata check in ci (#31419, @mhofstetter)
  • bpf: fix test configuration for 5.10 and 6.1 kernels (#29999, @julianwiedmann)
  • bpf: improve Wireguard test coverage (#33127, @julianwiedmann)
  • Bump CLI to v0.16.11 (Backport PR #33630, Upstream PR #33444, @brb)
  • Centralize configuration of kind version/image in GitHub Action workflows (#30916, @giorio94)
  • Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (#31198, @giorio94)
  • ci conformance e2e: increase request timeout from 10s to 30s. (#30192, @tommyp1ckles)
  • ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (#30211, @qmonnet)
  • ci-e2e-upgrade: Disable ingress-controller and bpf.tproxy=true (#31917, @brb)
  • ci-e2e-upgrade: Make it stable (#31895, @brb)
  • ci-e2e: Add e2e test with WireGuard + Host Firewall (#31594, @qmonnet)
  • ci-e2e: Add matrix for bpf.tproxy and ingress-controller (#31272, @sayboras)
  • ci-e2e: Add the coverage for Ingress + bpf.masquerade (#32761, @sayboras)
  • ci-e2e: Enable Ingress Controller test for more setup (#30657, @sayboras)
  • ci-l4lb: Remove unnecessary untrusted checkout (#32071, @joestringer)
  • CI/ClusterMesh: enable CiliumEndpointSlice in Conformance Cluster Mesh (#32593, @thorn3r)
  • ci/ipsec-upgrade: complete the switch to cilium-dbg (#32348, @julianwiedmann)
  • ci/ipsec: Fix downgrade version for release preparation commits (#30532, @qmonnet)
  • ci/ipsec: Fix downgrade version retrieval (#30742, @qmonnet)
  • ci/ipsec: Fix version retrieval for downgrades to closest patch release (#30503, @qmonnet)
  • ci/ipsec: Print more info to debug credentials removal check failures (#31652, @qmonnet)
  • ci: Add a call to the update label backport action (#29902, @joestringer)
  • ci: Add IPsec leak detection for ci-ipsec-e2e (#32930, @jschwinger233)
  • CI: Add job name validation (#32462, @brlbil)
  • ci: Add matrix for bpf.tproxy and ingress-controller (#31875, @sayboras)
  • ci: add tests for migration to CiliumEndpointSlice (#32268, @jshr-w)
  • ci: add trigger phrase to Gateway API conformance test workflow name (#30525, @tklauser)
  • ci: Bump lvh-kind ssh-startup-wait-retries (#31387, @YutaroHayakawa)
  • CI: Change cloud regions (#30378, @brlbil)
  • ci: check kvstoremesh for vulnerabilities only on v1.14 (#29918, @mhofstetter)
  • ci: check license of third party Go dependencies (#31129, @rolinh)
  • ci: continue container scanning on error (#29921, @ferozsalam)
  • ci: enable BGP Control Plane in e2e tests (Backport PR #33941, Upstream PR #33488, @rastislavs)
  • CI: enable CiliumEndpointSlice in conformance-e2e (#32403, @thorn3r)
  • ci: Enhance test execution security by restricting permissions to the 'organization-members' team (#30790, @brlbil)
  • ci: Extend K8s FQDN test to assert numeric identities after restoration (#33400, @gandro)
  • ci: fail container scans on vulnerability scan results (#31092, @ferozsalam)
  • ci: Filter supported versions of AKS (#32303, @marseel)
  • ci: Filter supported versions of EKS (#32304, @marseel)
  • ci: Filter supported versions of GKE (#32302, @marseel)
  • CI: Fix Artifact Creation Failure Due to Invalid Character in Name (#29884, @brlbil)
  • ci: fix ces migration test trigger and conn-disrupt usage (#33147, @jshr-w)
  • ci: fix cluster name in CI tests (#33004, @marseel)
  • ci: fix conformance gateway-api & ingress sysdump gathering & upload (#29960, @mhofstetter)
  • ci: fix eks image pull flake (#30030, @brlbil)
  • ci: Fix PR labels parsing in update label workflow (#30507, @pippolo84)
  • ci: Fix typo on "Ginkgo" (#32317, @qmonnet)
  • ci: ginkgo: increase cilium readiness timeout from 240 to 360s (#32585, @mhofstetter)
  • ci: increase conformance-aks timeout (#30438, @brlbil)
  • ci: Increase timeout for images for l4lb test (#32201, @marseel)
  • ci: increase wait duration after upgrade/downgrade in E2E upgrade test (#32528, @mhofstetter)
  • ci: l4lb: Don't hang on gathering logs forever (#32947, @joestringer)
  • ci: l4lb: gather more infos about docker-in-docker issues (#32570, @mhofstetter)
  • ci: l4lb: restart docker-in-docker container on failure (#32600, @mhofstetter)
  • ci: make runtime privileged tests not run in parallel (#33091, @marseel)
  • ci: only install llvm/clang and gingko for gingko test suite changes (#32309, @tklauser)
  • ci: remove build artifacts in integration tests to prevent space issues (#32050, @giorio94)
  • ci: remove container scanning workflow (#32905, @ferozsalam)
  • ci: remove k8s version 1.26 from ci-aks (#32498, @mhofstetter)
  • ci: run privileged unit tests only once (#31779, @tklauser)
  • ci: Set cluster id in external workloads (Backport PR #33804, Upstream PR #33694, @marseel)
  • ci: Set hubble.relay.retryTimeout=5s (#32066, @chancez)
  • CI: Update tested K8S versions across all cloud providers (#30795, @brlbil)
  • ci: use base and head SHAs from context in lint-build-commits workflow (#32140, @tklauser)
  • cli: Replace --cluster-name with --helm-set cluster.name (#31095, @michi-covalent)
  • clustermesh up/downgrade: test maxConnectedCluster (#30446, @thorn3r)
  • CODEOWNERS: Remove the catch-all rule (#32174, @michi-covalent)
  • Conformance AKS: wait for cilium-test namespace deletion during uninstallation (#29893, @giorio94)
  • contrib/scripts: Remove false positives from check-go-testdata.sh (#31089, @dylandreimerink)
  • controlplane: fix mechanism for ensuring watchers (#31030, @bimmlerd)
  • deflake endpointmanager tests (#31488, @bimmlerd)
  • Don't cache LLVM in the CI to resolve disk space issues. (#32045, @gentoo-root)
  • Drop legacy and superseded test from the Ginkgo suite (#31411, @giorio94)
  • Drop the remaining references to the CILIUM_CLI_MODE environment variable in GHA workflows. (#31199, @giorio94)
  • eks: Don't use spot instances (#32553, @michi-covalent)
  • enable kube cache mutation detector (#32069, @aanm)
  • Extend the clustermesh workflows to additionally cover the external kvstore case (#29983, @giorio94)
  • Fix bug in CES migration workflow causing it to fail when it should be skipped. (#33290, @learnitall)
  • Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (#30610, @learnitall)
  • Fix datapath mode in Network Performance CI test (#30756, @marseel)
  • Fix ipset reconciler unit tests (#31836, @pippolo84)
  • fix k8s versions tested in CI (#31966, @nbusseneau)
  • Fix node throughput (#31825, @marseel)
  • Fix sysctl reconciler unit tests (#31833, @pippolo84)
  • fqdn: Fix benchmarking for fqdn cache test (#32276, @joestringer)
  • gateway-api: Enable GRPCRoute conformance tests (#31055, @sayboras)
  • gateway: Sync up the experimental conformance test (#31017, @sayboras)
  • GCP OIDC instead of SA creds. (#30809, @viktor-kurchenko)
  • GCP performance OIDC auth. (#30844, @viktor-kurchenko)
  • gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (#29704, @brb)
  • gh/workflows: Bump CLI to v0.15.18 (#29849, @brb)
  • gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (#30520, @julianwiedmann)
  • gh: e2e-upgrade: disable config 7 (#33096, @julianwiedmann)
  • gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport PR #33630, Upstream PR #33509, @julianwiedmann)
  • gh: workflows: clarify reference to issue #23283 (#31118, @julianwiedmann)
  • gha: Add http client timeout in Ingress (Backport PR #33804, Upstream PR #33683, @sayboras)
  • gha: Add more flags for Ingress Conformance test (#33185, @sayboras)
  • gha: additionally cover BPF masquerade in clustermesh E2E tests (#30321, @giorio94)
  • gha: Avoid the warning for kind-action (#30601, @sayboras)
  • gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (#32347, @giorio94)
  • gha: bump status wait timeouts in clustermesh upgrade/downgrade tests (#33061, @giorio94)
  • gha: Clean-up renovate config for integration test (#31726, @sayboras)
  • gha: configure fallback runner type for conformance-k8s-kind workflow (Backport PR #33981, Upstream PR #33940, @giorio94)
  • gha: configure fully-qualified DNS names as external targets (#31510, @giorio94)
  • gha: Correct number of connect retry param in LVH (#32598, @sayboras)
  • gha: Correct skipped test name in GatewayAPI (#32881, @sayboras)
  • gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (#32684, @giorio94)
  • gha: disable fail-fast on integration tests (#31420, @giorio94)
  • gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #33941, Upstream PR #33819, @giorio94)
  • gha: drop double installation of Cilium CLI in conformance-eks (#32042, @giorio94)
  • gha: drop unused check_url environment variable (#30928, @giorio94)
  • gha: Enable Ingress controller for more e2e test (#32572, @sayboras)
  • gha: explicilty specify beefier runner type for clustermesh workflows (#30335, @giorio94)
  • gha: fix coredns logs retrieval in conformance-clustermesh (#31509, @giorio94)
  • gha: Grant write status permission (#33202, @sayboras)
  • gha: make runner type for clustermesh workflows configurable (#30496, @giorio94)
  • gha: Only retrieve IPv4 CIDR from docker network (#33093, @sayboras)
  • gha: Re-purpose Conformance Kind proxy test (#31074, @sayboras)
  • gha: Remove manual device setting (#31435, @sayboras)
  • gha: retrieve additional coredns-related troubleshooting info (#31384, @giorio94)
  • gha: shorten conformance-externalworkloads cluster name (Backport PR 33981, Upstream PR #33939, @giorio94)
  • gha: test certificate generation methods in conformance clustermesh (#32654, @giorio94)
  • gha: use GH_RUNNER_EXTRA_POWER for conformance-k8s-kind workflow (Backport PR #33981, Upstream PR #33865, @giorio94)
  • golangci-lint: Fix goimports local prefix (#31106, @michi-covalent)
  • hubble: deflake TestLocalObserverServer_NodeLabels (#33285, @kaworu)
  • identity: deflake test TestGetIdentity (#29720, @mhofstetter)
  • identity: deflake test TestGetIdentity - part 2 (#30190, @mhofstetter)
  • Improve BPF complexity test coverage, fix a verifier error after LLVM upgrade. (#32170, @gentoo-root)
  • Improve Conformance Cluster Mesh workflow coverage (#29926, @giorio94)
  • Improve potential issues with tests that use the tunnel eBPF map to help prevent flakes. (#31233, @learnitall)
  • introduce ARM github workflows (#31196, @aanm)
  • ipam: deepcopy interface resource correctly. (#26998, @tommyp1ckles)
  • ipsec-tests: Fix flaky TestUpsertIPSecKeyMissing (#32937, @marseel)
  • iptables: Fix New port number case in TestAddProxyRules{v4,v6} (#30555, @pippolo84)
  • k8s_install.sh: specify the CNI version (#31182, @aanm)
  • loader: fix issue where errors cancelled compile cause error logs. (#30988, @tommyp1ckles)
  • Make BPF unit tests reproducible (#31526, @ti-mo)
  • Make testdata build output more stable by reducing header includes (#31644, @ti-mo)
  • Miscellaneous improvements to the clustermesh upgrade/downgrade test (#31958, @giorio94)
  • Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (#31424, @learnitall)
  • Move cilium/hubble code to cilium/cilium repo (#31893, @michi-covalent)
  • Network performance (#30247, @marseel)
  • Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (#30778, @learnitall)
  • Re-enable LRP and K8sSpecificMACAddressTests tests that were incorrectly skipped on non-AKS platforms due to a regression. (#30939, @aditighag)
  • Reduce flakiness of controlplane tests (#30906, @bimmlerd)
  • release image: Allow arbitrary pre-release identifiers (#33718, @michi-covalent)
  • Remove ariane scheduled workflows for 1.12 (#32126, @marseel)
  • Remove remaining references to v4.19 (#30890, @lmb)
  • removing reference to Metal LB in GHA now that MetalLB has been replaced with Cilium L2 Announcement (#28926) (#29854, @nvibert)
  • renovate: add lvh-kind action (#30663, @lmb)
  • renovate: Don't remove images/cilium/download-hubble.sh yet (#32440, @michi-covalent)
  • renovate: temporarily do not update GoBGP (#31123, @rastislavs)
  • Replace v4.19 with RHEL 8.6 in CI (#30872, @lmb)
  • Revert "CI: bump default FQDN datapath timeout from 100 to 250ms" (#33354, @gandro)
  • Revert "test: Disable hostfw in monitor aggregation test" (#32315, @qmonnet)
  • Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (#30207, @giorio94)
  • route: dedicated net ns for each subtest of runListRules (#29916, @mhofstetter)
  • Scale tests improvements (#29859, @marseel)
  • Scrape cilium metrics and add custom prometheus queries (#32254, @marseel)
  • Scrape pprofs in 100 node scale test workflow for extra debugging information (#32056, @learnitall)
  • Simplify NAT46x64,recorder tests (#32068, @joestringer)
  • slices: don't modify missed input slice in test (#31119, @bimmlerd)
  • Spread ariane-scheduled workflows over multiple hours (#32142, @marseel)
  • statedb/reflector: fix race condition in test (#30971, @bimmlerd)
  • Switch to self-hosted Renovate in GHA (#30185, @meyskens)
  • Test endpoint slice synchronization as part of the Conformance Cluster Mesh workflow (#31551, @giorio94)
  • Test IPsec + KPR (#31760, @pchaigno)
  • test/helpers: Skip CiliumUninstall if not installed (#32272, @joestringer)
  • test/verifier: Keep existing environment when running make (#31632, @gentoo-root)
  • test/verifier: Sort BPF program names for stable output (#31617, @gentoo-root)
  • test: add standalone l4lb test to verify that traffic works even when cilium agent is restarted (#30114, @oblazek)
  • test: De-flake xds server_e2e_test (#32004, @jrajahalme)
  • test: Remove redundant IPsec test (#31759, @pchaigno)
  • test: remove unused assertion helpers (#32157, @tklauser)
  • test: Update KPR value in ipsec upgrade jobs (#31649, @sayboras)
  • test: verify that traffic to services work when agent (l4lb) is restarted (#30930, @oblazek)
  • tests: check for pending maps after network policy tests finish (#30188, @lmb)
  • update azure k8s versions (#31220, @brlbil)
  • Update GitHub upload-artifact action (#30443, @brlbil)
  • Use AWS OIDC instead of access key for CI (#30713, @viktor-kurchenko)
  • Use Clang from cilium-builder image to build BPF code in CI (#31754, @gentoo-root)
  • Use GH_RUNNER_EXTRA_POWER for CI image workflow (#32402, @michi-covalent)
  • workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #33804, Upstream PR #33769, @pchaigno)
  • workflows: Bump the timeout for Ginkgo tests (#31991, @pchaigno)
  • workflows: Clean IPsec test output (#30759, @pchaigno)
  • workflows: conformance-eks: use env.QUAY_ORGANIZATION_DEV (#30263, @julianwiedmann)
  • workflows: Cover IPsec encrypted overlay mode in end-to-end tests (#31637, @pchaigno)
  • workflows: Debug info for key rotations (#31627, @pchaigno)
  • workflows: e2e-upgrade: fix EXTRA parameters (#33150, @jibi)
  • workflows: Fix CI jobs for push events on private forks (#32085, @pchaigno)
  • workflows: ignore "No egress gateway found" drops (#32564, @jibi)
  • workflows: Increase IPsec e2e test's timeout (#30194, @julianwiedmann)
  • workflows: Increase IPsec upgrade test's timeout (#29934, @pchaigno)
  • workflows: integration-test: allow to configure bigger runner (#33284, @jibi)
  • workflows: ipsec-e2e: add missing key types for some configs (#31636, @julianwiedmann)
  • workflows: Remove stale CodeQL workflow (#32084, @pchaigno)

Misc Changes:

  • .github/actions: enable passing kind config to lvh-kind action (#32398, @harsimran-pabla)
  • .github/workflows: pin renovate version (#33169, @aanm)
  • .github: add workflow for renovate to build base images (#33326, @aanm)
  • .github: adding daemon/cmd/fqdn to sig/policy PRs (#32442, @vipul-21)
  • .github: Auto-apply labels for sig/policy PRs (#32409, @joestringer)
  • .github: fix cloud workflows for renovate (#33320, @aanm)
  • .github: Fix PR autolabeler (#32406, @joestringer)
  • .github: fix renovate GitHub workflow config (#32935, @aanm)
  • .github: fix worfklows used by renovate (#33309, @aanm)
  • .github: switch kind images back to kind (#30659, @aanm)
  • .github: update kindest to 1.30.0 (#33375, @aanm)
  • [operator] Refactor - export CiliumEndpointSlice test utils (#30577, @dlapcevic)
  • [v1.16] ginkgo: use net-next configuration with 6.6 kernel (#33733, @aanm)
  • Accurately manage the teardown sequence of an Endpoint's BPF resources (#32167, @ti-mo)
  • add a fast make target for kind-clustermesh (#29910, @thorn3r)
  • Add a new flag to endpoints in the IPCache to allow for overriding tunnel configuration (#29796, @learnitall)
  • Add auto labeler for hubble-cli (#32343, @aanm)
  • Add auto-merge for renovate for trusted dependencies (#33287, @aanm)
  • Add explicit deprecation notice in the Ginkgo-based E2E testing documentation (#33288, @learnitall)
  • add how to clean up the e2e connectivity test. (#30428, @fujitatomoya)
  • Add initial support for Multi-Cluster Services API in Cilium clustermesh (#32264, @MrFreezeex)
  • Add kernel version limitation to multicast Doc (Backport PR #33630, Upstream PR #33567, @yushoyamaguchi)
  • Add monitor aggregation for all events related to packets ingressing to the network-facing device. (#31015, @learnitall)
  • Add NetBird to the Cilium user list (#30645, @braginini)
  • Add OpenVEX document (#30768, @ferozsalam)
  • Add Pod eviction warning in upgrade notes for Envoy DS (#31971, @learnitall)
  • Add securityContext & disable hostNetwork in cronjob helm template (#33077, @Sindvero)
  • Add Spectro Cloud to USERS.md (#32027, @kreeuwijk)
  • Add support for infinite retries for OneShot jobs (#30376, @dylandreimerink)
  • Add support for skipping encapsulation for host-to-pod traffic (#30819, @learnitall)
  • Add support for skipping encapsulation of nodeport-related traffic (#30608, @learnitall)
  • Add Syself to USERS.md (#32204, @lucasrattz)
  • Add the documentation for using serviceAdvertisements (#31331, @chaunceyjiang)
  • add users doc to bug report template (#30603, @xmulligan)
  • Add WSO2 to the cilium users (#32850, @isala404)
  • Add Ænix to the cilium users (#32738, @kvaps)
  • Added EKS-to-EKS Clustermesh Preparation guide (#32355, @network-charles)
  • Added sysctl setting reconciliation (#30439, @dylandreimerink)
  • Address race condition in TestGetIdentity (#30885, @bimmlerd)
  • Adds NETWAYS Web Services to USERS.md (#30505, @mocdaniel)
  • agent: Remove redundant pod spec checks (#31105, @aditighag)
  • agent: Replace gocheck with built-in go test (#32214, @sayboras)
  • agent: Wrap propagating errors from proxy wait group (#31398, @aditighag)
  • all: remove repetitive words (#31566, @deterclosed)
  • Allow packets leaving containers to skip encapsulation. (#30427, @learnitall)
  • Always include symbols in the Agent debug image. (#32032, @EricMountain)
  • api: Replace gocheck with built-in go test (#32217, @sayboras)
  • api: Upgrade go-swagger version to v0.30.5 (#31647, @sayboras)
  • Avoid depending on sysctl in the kind.sh script for IPv6 determination (#31180, @giorio94)
  • background-sync: fix bootstrap issue and edge-case with 1 node (#32630, @marseel)
  • bandwidth: test: don't unlock OS thread too early (#30932, @bimmlerd)
  • bgp/configmap: remove unnecessary else statement (#32892, @harsimran-pabla)
  • BGP: Exporting peers, routes and route-policy states of BGPv2 via CLI. (#32474, @harsimran-pabla)
  • bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (#31218, @YutaroHayakawa)
  • bgpv1: check services for reconciliation if iTP=local (#31963, @harsimran-pabla)
  • bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes (#31181, @YutaroHayakawa)
  • bgpv1: Modularize test fixtures (#30234, @rastislavs)
  • bgpv1: remove BGP Controller from daemon cell (#30561, @harsimran-pabla)
  • bgpv1: Remove disruptive error handling from BGPRouterManager (#30382, @YutaroHayakawa)
  • bgpv1: Remove or downgrade noisy logs (#30868, @YutaroHayakawa)
  • bgpv1: remove references to advertisement from CiliumBGPPeeringPolicy (#30337, @harsimran-pabla)
  • bgpv1: set running flag in manager (#30013, @harsimran-pabla)
  • bgpv1: Some test coverage improvements for bgpv1/agent (#30096, @YutaroHayakawa)
  • bgpv2: Route policies for various reconcilers (#32383, @harsimran-pabla)
  • bgpv2: Add service options to advertisement CRD (#30902, @harsimran-pabla)
  • bgpv2: Allow empty advertisement (#32997, @YutaroHayakawa)
  • bgpv2: Configuration guide for BGPv2 APIs (#32774, @harsimran-pabla)
  • bgpv2: container labs for various types of advertisements (#32522, @harsimran-pabla)
  • bgpv2: filter terminating backends from endpoint selection (#32537, @harsimran-pabla)
  • bgpv2: Fix description of Selector behavior in CiliumBGPAdvertisement CRD (Backport PR #33630, Upstream PR #33537, @rastislavs)
  • bgpv2: fix operator flaky test cases (#31255, @harsimran-pabla)
  • bgpv2: fix pod ip pool cleanup (#32194, @harsimran-pabla)
  • bgpv2: Introducing pod cidr reconciler for bgpv2. (#30815, @harsimran-pabla)
  • bgpv2: introducing PodIPPool reconciler (#31546, @harsimran-pabla)
  • bgpv2: introducing service reconciler in BGPv2 reconcilers (#31962, @harsimran-pabla)
  • bgpv2: pass types.Router in path and policy reconcilers (#33075, @harsimran-pabla)
  • bgpv2: remove automatic bgp peering policy translation to new BGP CRDs. (#31252, @harsimran-pabla)
  • bgpv2: Remove node selector check from v2 PodCIDRReconciler (#33043, @rastislavs)
  • bgpv2: removing v2Enable feature flag (#32692, @harsimran-pabla)
  • bgpv2: setting gobgp configuration based on new BGP APIs (#29988, @harsimran-pabla)
  • bgpv2: Skip reconcile while BGPNodeConfig is not initialized (Backport PR #33630, Upstream PR #33526, @rastislavs)
  • bgpv2: update multi-homing lab to use config overrides (#32775, @harsimran-pabla)
  • BGPv2: Updates CiliumBGPNodeConfigOverride Type (#31598, @danehans)
  • bitlpm: Add Comment for UintTrie (#33241, @nathanjsweet)
  • bitlpm: Add ExactLookup Method (#32609, @nathanjsweet)
  • bitlpm: Convert UintTrie to Struct (#32676, @nathanjsweet)
  • bitlpm: Document and Fix Descendants Bug (#31851, @nathanjsweet)
  • bitlpm: Factor out common code (#31026, @jrajahalme)
  • bpf,config: Add ENABLE_LOCAL_REDIRECT_POLICY macro (#31098, @aditighag)
  • bpf,tests: Add IPv4 checsum validation (#33341, @viktor-kurchenko)
  • bpf/test: Adjust mock function to reflect changes in tail_ipvX_policy (#31738, @jschwinger233)
  • bpf: Add BPF map operations for the StateDB reconciler (#32123, @joamaki)
  • bpf: add ext_err for more callers of tail_call_internal() (#30023, @julianwiedmann)
  • bpf: add improved helper for program-internal tail-call (#30001, @julianwiedmann)
  • bpf: add multicast in MAX_OVERLAY_OPTIONS (#32129, @harsimran-pabla)
  • bpf: add node_key to alignchecker (#31393, @julianwiedmann)
  • bpf: alignchecker: add encrypt_config and world_cidrs_key4 (#29886, @julianwiedmann)
  • bpf: clean up some unneeded includes (#33088, @julianwiedmann)
  • bpf: convert ep_tail_call() to tail_call_internal() (#30288, @julianwiedmann)
  • bpf: ct: allow CT entry creation / lookup without detailed information (#30344, @julianwiedmann)
  • bpf: ct: clean up redundant 0-initializiations for CT entry creation (#31788, @julianwiedmann)
  • bpf: ct: fix off-by-1 in ICMP packet statistics (#32393, @julianwiedmann)
  • bpf: ct: return actual error from CT lookup (#33225, @julianwiedmann)
  • bpf: Don't skip local delivery for plain-text packets when IPsec is enabled (#31193, @pchaigno)
  • bpf: drop/trace: identify missing security identity / endpoint ID (#32562, @julianwiedmann)
  • bpf: egressgw: tolerate BPF_FIB_LKUP_RET_NO_NEIGH on older kernels (#30286, @julianwiedmann)
  • bpf: egw: delay SNAT for local client to actual egress interface (#32428, @julianwiedmann)
  • bpf: encap: fix ifindex in TO_OVERLAY trace notification (#33083, @julianwiedmann)
  • bpf: ensure test objects are compiled before tests are run (#33275, @lmb)
  • bpf: explicitly pass map to policy_can_{in,e}gress{4,6} (#31053, @jibi)
  • bpf: extract ethertype in to-netdev / to-overlay just once (#33117, @julianwiedmann)
  • bpf: fib: fix issues with L2 resolution (#30128, @julianwiedmann)
  • bpf: fix skip_tunnel_nodeport_revnat (#33113, @lmb)
  • bpf: hide dynamic/static variant for policy tail-call (#32299, @julianwiedmann)
  • bpf: host: add host_egress_policy hook (#32879, @jibi)
  • bpf: host: consolidate drop notification code in to-netdev (#32422, @julianwiedmann)
  • bpf: host: optimize from-host's ICMPv6 path (#31127, @julianwiedmann)
  • bpf: host: restore HostFW for overlay traffic in to-netdev (#31818, @julianwiedmann)
  • bpf: host: sanitize whole skb->cb in to-netdev (#33183, @julianwiedmann)
  • bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (#29803, @julianwiedmann)
  • bpf: host: skip from-proxy handling in from-netdev (#29962, @julianwiedmann)
  • bpf: host: use security identities in to-netdev's trace notifications (#33081, @julianwiedmann)
  • bpf: improve some trace notifications to report the correct ifindex (#33229, @julianwiedmann)
  • bpf: initial multicast datapath support (#29469, @ldelossa)
  • bpf: introduce ctx_load_and_clear_meta() (#30245, @julianwiedmann)
  • bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (#29880, @julianwiedmann)
  • bpf: ipv6: optimize ipv6_addr_copy() (#30029, @julianwiedmann)
  • bpf: lb: clean up REV_NAT_F_TUPLE_SADDR parts in RevDNAT logic (#30701, @julianwiedmann)
  • bpf: lb: remove extra SVC lookup when backend lookup fails (#31595, @julianwiedmann)
  • bpf: lb: return drop reasons from __lb4_rev_nat() (#30410, @julianwiedmann)
  • bpf: lb: small improvements to CT logic (#30950, @julianwiedmann)
  • bpf: lxc: also set from_tunnel for IPv6 CT entries (#30877, @julianwiedmann)
  • bpf: lxc: enrich trace event in cil_to_container (#32737, @julianwiedmann)
  • bpf: lxc: fix ifindex in TO_ENDPOINT trace notification (#33085, @julianwiedmann)
  • bpf: lxc: limit nodeport RevDNAT support to IPsec configurations (Backport PR #33981, Upstream PR #33960, @julianwiedmann)
  • bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() (#33181, @julianwiedmann)
  • bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6 (#30244, @julianwiedmann)
  • bpf: lxc: simplify RevNAT path for loopback replies (#32480, @julianwiedmann)
  • bpf: lxc: use THIS_INTERFACE_IFINDEX instead of CB_IFINDEX (Backport PR #33630, Upstream PR #33524, @julianwiedmann)
  • bpf: minor tail-call cleanups (#31990, @julianwiedmann)
  • bpf: move feature-specific maps into their header files (#33087, @julianwiedmann)
  • bpf: nat: pass back ipv4_load_l4_ports()'s actual drop reason (#29837, @julianwiedmann)
  • bpf: nodeport: add nodeport_rev_dnat_ingress_ipv4_hook infra (#31244, @jibi)
  • bpf: nodeport: avoid revalidation in nodeport_rev_dnat_ingress_ipv4() (#32044, @julianwiedmann)
  • bpf: nodeport: check for ClusterIP access earlier (#32344, @julianwiedmann)
  • bpf: nodeport: clean up ct_state usage in nodeport_lb*() (#31427, @julianwiedmann)
  • bpf: nodeport: clean up redundant 0-initializations (#33255, @julianwiedmann)
  • bpf: nodeport: clean up stale comment (#32734, @julianwiedmann)
  • bpf: nodeport: don't forward host id in nodeport_lb4 (#31120, @jibi)
  • bpf: nodeport: fix check to forward identity in nodeport_lb4 (#31085, @jibi)
  • bpf: nodeport: remove TC_INDEX_F_SKIP_RECIRCULATION logic (#30435, @julianwiedmann)
  • bpf: nodeport: simplify CT entry validation in nodeport_lb*() (#31165, @julianwiedmann)
  • bpf: nodeport: split off LB logic in nodeport_lb*() (#31590, @julianwiedmann)
  • bpf: nodeport: split up ingress path when HostFW is enabled (#30442, @julianwiedmann)
  • bpf: overlay: restore bpf_clear_meta() in from-overlay (#30343, @julianwiedmann)
  • bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (#32871, @jibi)
  • bpf: proxy: add IPv4 fragmentation support in ctx_redirect_to_proxy_first() (#29760, @julianwiedmann)
  • bpf: Replace old school header guards with #pragma once (#32235, @dylandreimerink)
  • bpf: s/NODE_MAC/THIS_INTERFACE_MAC (#32839, @julianwiedmann)
  • bpf: test: future-proof some kernel version checks (#30127, @julianwiedmann)
  • bpf: tests: don't define HAVE_ENCAP in IPsec tests (#31737, @julianwiedmann)
  • bpf: trace: identify ifindex 0 as TRACE_IFINDEX_UNKNOWN (#32526, @julianwiedmann)
  • bpf: transport source identity in MARK_MAGIC_OVERLAY (#32944, @julianwiedmann)
  • bpf: update set_ipsec_encrypt to optionally fill SPI with node map value (#31804, @ldelossa)
  • bpf: update unreachable-tailcall.o after updating CILIUM_BUILDER_IMAGE (#31412, @mhofstetter)
  • bpf: xdp: clean up xdp_adjust_hroom() (#30325, @julianwiedmann)
  • bpf: xdp: remove unused set_encrypt_dip() (#31367, @julianwiedmann)
  • Bugtool commands list generation improvements (#32253, @pippolo84)
  • bugtool: Capture memory fragmentation info from /proc (#30966, @pchaigno)
  • bugtool: Deduplicate tc qdisc commands (#32455, @pippolo84)
  • bugtool: Dump raw node ID map (#31741, @pchaigno)
  • build(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#32072, @dependabot[bot])
  • build(deps): bump idna from 3.4 to 3.7 in /Documentation (#31916, @dependabot[bot])
  • build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (#30219, @dependabot[bot])
  • build(deps): bump jinja2 from 3.1.3 to 3.1.4 in /Documentation (#32390, @dependabot[bot])
  • build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (#32176, @dependabot[bot])
  • build(deps): bump requests from 2.31.0 to 2.32.0 in /Documentation (#32626, @dependabot[bot])
  • build(deps): bump tornado from 6.3.3 to 6.4.1 in /Documentation (#32946, @dependabot[bot])
  • build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (#33218, @dependabot[bot])
  • build-images-base: cancel github runs based on branch name (#33353, @aanm)
  • build-images-base: push to branch if pull request ref doesn't exist (#33368, @aanm)
  • build-images: fetch artifacts with specific pattern (#33216, @aanm)
  • build: golangci-lint: update go version configuration (#32191, @mhofstetter)
  • Bump allowed Golang version to v1.21 (#30084, @ferozsalam)
  • bump cni plugins to v1.5.0 (#32629, @antonipp)
  • Bump readme, MLH for v1.15.0-rc.0 (#29909, @joestringer)
  • Bump release versions references by readme, stable.txt, and MLH (#29879, @asauber)
  • Bump the certgen utility to v0.2.0, and adapt the associated configuration (#33057, @giorio94)
  • Bump timeout of lint-build-commits.yaml (#32746, @YutaroHayakawa)
  • bwmap: Reconcile cilium_throttle with StateDB reconciler (#32438, @joamaki)
  • CEC: Extract CiliumEnvoyConfig from global k8s watcher (#30298, @mhofstetter)
  • cec: move config property 'envoy-config-timeout' into hive config (#31086, @mhofstetter)
  • CEC: Move resource parser and envoy l7lb backend syncer to /pkg/ciliumenvoyconfig (#30290, @mhofstetter)
  • cec: remove label break by extracting function to inject L7 filter (#30062, @mhofstetter)
  • cec: support resource name qualification for HTTP HealthCheckFilter (#32308, @mhofstetter)
  • cec: timerbased reconcile job as fallback (#30866, @mhofstetter)
  • cgroup manager: introduce hive cell (#32799, @mhofstetter)
  • Change ariane config CODEOWNERS (#30803, @brlbil)
  • check-sources.sh: move file lists to env variables (#30600, @jibi)
  • chore(deps): update actions/download-artifact action to v4.1.3 (main) (#30985, @renovate[bot])
  • chore(deps): update actions/setup-go action to v5 (main) (#29952, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30618, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30898, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#30948, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31109, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31282, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31443, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31573, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31697, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31951, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#31992, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32101, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32237, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32360, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32491, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32620, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32718, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32834, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#32989, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (#33135, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (#33300, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (#33402, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#29948, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#30394, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30392, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30478, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30779, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#30830, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#31130, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#32565, @renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#33478, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#33622, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#33788, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies to v3 (main) (major) (#30485, @renovate[bot])
  • chore(deps): update all github action dependencies to v4 (main) (major) (#30048, @renovate[bot])
  • chore(deps): update all kind-images main (main) (#30828, @renovate[bot])
  • chore(deps): update all kind-images main (main) (patch) (#30621, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (#30974, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#29945, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#30044, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#30805, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#31131, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#31230, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#31574, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#32361, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#32984, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#33187, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#33297, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#33343, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#33401, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240204.012837 (main) (patch) (#30460, @renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240309.012251 (main) (patch) (#31276, @renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240315.012542 (main) (patch) (#31440, @renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240521.012924 (main) (patch) (#32631, @renovate[bot])
  • chore(deps): update all lvh-images main to bpf-next-20240529.013128 (main) (patch) (#32830, @renovate[bot])
  • chore(deps): update all-dependencies (main) (#31275, @renovate[bot])
  • chore(deps): update all-dependencies (main) (#31694, @renovate[bot])
  • chore(deps): update all-dependencies (main) (#32242, @renovate[bot])
  • chore(deps): update all-dependencies (main) (#32359, @renovate[bot])
  • chore(deps): update all-dependencies (main) (#32983, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (#33298, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#33602, @cilium-renovate[bot])
  • chore(deps): update alpine-images (main) (patch) (#30479, @renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.16.0 (main) (#31281, @renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.16.10 (main) (#33131, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.16.6 (main) (#32219, @renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.16.7 (main) (#32394, @renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.16.7 (main) (#32771, @renovate[bot])
  • chore(deps): update cilium/little-vm-helper action to v0.0.17 (main) (#31695, @renovate[bot])
  • chore(deps): update cilium/little-vm-helper action to v0.0.18 (main) (#32566, @renovate[bot])
  • chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#33790, @cilium-renovate[bot])
  • chore(deps): update cilium/scale-tests-action digest to 511e3d9 (main) (#33210, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (#29942, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.20 (main) (#30200, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.21 (main) (#30569, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.22 (main) (#30622, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.23 (main) (#30832, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.0 (main) (#31171, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.10 (main) (#32985, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.16) (#33659, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.3 (main) (#31386, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.4 (main) (#31673, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.8 (main) (#32779, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.9 (main) (#32831, @renovate[bot])
  • chore(deps): update dependency eksctl-io/eksctl to v0.167.0 (main) (#30046, @renovate[bot])
  • chore(deps): update dependency go to v1.22.3 (main) (#32772, @renovate[bot])
  • chore(deps): update dependency grpc-ecosystem/grpc-health-probe to v0.4.27 (main) (#33132, @cilium-renovate[bot])
  • chore(deps): update dependency kubernetes-sigs/kind to v0.22.0 (main) (#30826, @renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v27 (main) (#32767, @renovate[bot])
  • chore(deps): update dependency renovatebot/renovate to v37.409.1 (main) (#33171, @cilium-renovate[bot])
  • chore(deps): update dependency renovatebot/renovate to v37.409.2 (main) (#33199, @cilium-renovate[bot])
  • chore(deps): update dependency renovatebot/renovate to v37.410.1 (main) (#33205, @cilium-renovate[bot])
  • chore(deps): update dependency renovatebot/renovate to v37.415.0 (main) (#33350, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.5 docker digest to 672a228 (main) (#30043, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (main) (#30242, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (main) (#30619, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.1 docker digest to 0b55ab8 (main) (#31438, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.2 docker digest to 450e382 (main) (#31949, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.2 docker digest to d5302d4 (main) (#32218, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.3 docker digest to f43c6f0 (main) (#32579, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.4 docker digest to 0f76912 (main) (#33130, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.4 docker digest to a66eda6 (main) (#33331, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.22.4 docker digest to c2010b9 (main) (#33170, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6042500 (main) (#29939, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (main) (#30391, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f9d633f (main) (#30620, @renovate[bot])
  • chore(deps): update docker/build-push-action action to v5.4.0 (main) (#33006, @cilium-renovate[bot])
  • chore(deps): update docker/build-push-action action to v6 (main) (#33197, @cilium-renovate[bot])
  • chore(deps): update docker/setup-buildx-action action to v3.3.0 (main) (#31832, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (main) (#29940, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 49af061 (main) (#30946, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (main) (#31439, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6a3500b (main) (#30829, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (main) (#31815, @renovate[bot])
  • chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c (main) (#31950, @renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.12 (main) (#30623, @renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.14 (main) (#32832, @renovate[bot])
  • chore(deps): update github/codeql-action action to v3.24.10 (main) (#31816, @renovate[bot])
  • chore(deps): update github/codeql-action action to v3.24.8 (main) (#31479, @renovate[bot])
  • chore(deps): update go to v1.21.6 (main) (patch) (#30172, @renovate[bot])
  • chore(deps): update go to v1.22.0 (main) (minor) (#30673, @renovate[bot])
  • chore(deps): update go to v1.22.1 (main) (#31277, @renovate[bot])
  • chore(deps): update go to v1.22.2 (main) (#31767, @renovate[bot])
  • chore(deps): update go to v1.22.3 (main) (#32416, @renovate[bot])
  • chore(deps): update go to v1.22.4 (main) (#32893, @renovate[bot])
  • chore(deps): update go to v1.22.5 (v1.16) (#33566, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.56.2 (main) (#30839, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.57.1 (main) (#31576, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.57.2 (main) (#31696, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.58.0 (main) (#32363, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.59.0 (main) (#32833, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.59.1 (main) (#32986, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint-action action to v4 (main) (#30849, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.0 (main) (minor) (#30272, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.2 (main) (#31320, @renovate[bot])
  • chore(deps): update hubble cli to v0.13.3 (main) (#32102, @renovate[bot])
  • chore(deps): update kindest/node docker tag to v1.30.2 (v1.16) (#33521, @cilium-renovate[bot])
  • chore(deps): update kylemayes/install-llvm-action action to v2.0.1 (main) (#31746, @renovate[bot])
  • chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (main) (#31241, @renovate[bot])
  • chore(deps): update nick-invision/retry action to v3 (main) (#30628, @renovate[bot])
  • chore(deps): update quay.io/cilium/hubble docker tag to v0.13.4 (main) (#32621, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20240628.013131 (v1.16) (#33480, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#33620, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#33791, @cilium-renovate[bot])
  • chore: provide OSSF security insight (#30448, @mmorel-35)
  • chore: update json-mock image source in examples (#31373, @loomkoom)
  • CI: bump default FQDN datapath timeout from 100 to 250ms (#31866, @squeed)
  • ci: fix typo in generate-k8s-api workflow (#30824, @chaunceyjiang)
  • ci: GitHub action syntax fixes (#32507, @viktor-kurchenko)
  • cilium, bpf: pkts/byte count conversion for ct (#31087, @borkmann)
  • cilium, netkit: Add CI e2e coverage (#33005, @borkmann)
  • cilium, tests: Temporary disable agent restart test in l4lb (#30710, @borkmann)
  • cilium-dbg: avoid leaking file resources (#31750, @tklauser)
  • cilium-dbg: Expose Cilium network routing status (#32036, @joestringer)
  • cilium-dbg: fix exported command name (#31606, @lmb)
  • cilium-dbg: listing load-balancing configurations displays L7LB proxy port (#31503, @mhofstetter)
  • cilium-dbg: Reprint header line periodically with statedb (#32798, @joamaki)
  • cilium-dbg: Use a tabwriter that remembers the widths (#32434, @joamaki)
  • cilium-health: Fix setting of disable_ipv6 sysctl (#32120, @joamaki)
  • cilium: add note into upgrade guide and perf guide about netkit enablement (#33404, @borkmann)
  • cilium: Enable plain IPIP/IP6IP6 termination (#31213, @borkmann)
  • cilium: Small health cleanup improvements (Backport PR #33981, Upstream PR #33700, @borkmann)
  • ciliumenvoyconfig: always inject Envoy Cilium filters (Network & L7) for L7 loadbalancing (#30546, @mhofstetter)
  • Cleanup: no need to deactivate l7proxy when activating EgressGetway (Backport PR #33630, Upstream PR #33516, @cdtzabra)
  • cleanup: Remove deprecated StringCounter (#32639, @sayboras)
  • cleanup: untangle unnecessarily complex policy initialization (#32813, @squeed)
  • cleanup: Use context package from std libraries (#32795, @sayboras)
  • cli: Replace gocheck with built-in go test (#32210, @sayboras)
  • cli: make multicast subscriber list exportable (#31799, @harsimran-pabla)
  • cloud-provider: Replace gocheck with built-in go test (#32212, @sayboras)
  • clustermesh: Cleanup un-used endpoint related attributes (#32645, @sayboras)
  • clustermesh: drain all known entries upon cluster ID change (#32996, @giorio94)
  • clustermesh: drop clustermesh/remoteCluster circular reference (#32900, @giorio94)
  • clustermesh: drop node observer global variables from tests (#32471, @giorio94)
  • clustermesh: drop redundant OnClusterDelete from GlobalServiceCache (#32751, @giorio94)
  • clustermesh: fix panic if the etcd client cannot be created (#32225, @giorio94)
  • clustermesh: fix remote service deletion on endpointslicesync (#32961, @MrFreezeex)
  • clustermesh: forbid connecting to cluster with same ID as local (#32753, @giorio94)
  • clustermesh: grant read permissions to the cilium/.heartbeat prefix (#33436, @giorio94)
  • ClusterMesh: improve validation of remote endpoints and identities (#32785, @giorio94)
  • ClusterMesh: improve validation of remote nodes and services (#32749, @giorio94)
  • clustermesh: periodically enforce cilium cluster configuration (#32867, @giorio94)
  • cmd, watchers: Populate ipcache in case of high-scale ipcache (#31848, @pchaigno)
  • cni: Improve logging with common fields (#31805, @sayboras)
  • CODEOWNERS: add sig-scalability ownership of CiliumEndpointSlice (#32535, @thorn3r)
  • CODEOWNERS: Move devcontainer to cilium/ci (#33029, @joestringer)
  • CODEOWNERS: pull in sig-wireguard for wireguard-related files (#30380, @julianwiedmann)
  • CODEOWNERS: sig-scalability owns scalability-specific GH workflows (#29819, @marseel)
  • common: remove unused MapStringStructToSlice (#32345, @tklauser)
  • config: remove ingress & gateway api leftovers from global agent config (#32782, @mhofstetter)
  • config: Remove unused ENCRYPT_IFACE macro (#31323, @pchaigno)
  • Consolidate network namespace handling (#29993, @bleggett)
  • Consolidate regeneration metrics accounting (#32677, @christarazi)
  • consolidate_go_stacktrace: Add '--filter lock' (#32273, @joestringer)
  • container/bitlpm: Add Lookup Boolean Return Value (#31037, @nathanjsweet)
  • contexthelpers: remove unused package (#31834, @tklauser)
  • contrib,tool: exclude slice cleanup (#33365, @viktor-kurchenko)
  • contrib/scripts: remove check-assert-deep-equals (#32530, @tklauser)
  • contrib/scripts: Remove special handling for patch release number 90 (#30413, @qmonnet)
  • contrib: Add installation script for tools in devcontainer (#31534, @fujitatomoya)
  • contrib: Autodetect GITHUB_TOKEN during release (#29901, @joestringer)
  • contrib: Clean up un-used scripts (#32456, @sayboras)
  • contrib: Fix post-release.sh for branch candidates (#29907, @joestringer)
  • contrib: Remove CHARTS_PATH dependency (#32328, @joestringer)
  • contrib: Switch from 'hub' to 'gh' (#32326, @joestringer)
  • controller: Add and use lookup function for controllers (#31236, @christarazi)
  • controller: Remove unused function FakeManager() (#32011, @joestringer)
  • Correct Istio Integration Documentation for Cilium CLI Flag Usage (#30152, @rootsongjc)
  • ctmap: dump CT entry's BackendID (#32563, @julianwiedmann)
  • daemon/hive: No longer make WireGuard an optional dependency (#30544, @gandro)
  • daemon/ipam: don't swallow parse error of CIDR (#33283, @bimmlerd)
  • daemon: add agent-runtime-config backup files to gitignore (Backport PR #33630, Upstream PR #33485, @mhofstetter)
  • daemon: Add rate-limiting to device reloading (#32527, @joamaki)
  • daemon: Allow DNS transparent mode to be turned off with encryption (Backport PR #33630, Upstream PR #33420, @gandro)
  • daemon: cleanup daemon fields (#32880, @mhofstetter)
  • daemon: Do not require socketLB for BPF masq (Backport PR #33846, Upstream PR #33728, @brb)
  • daemon: inline lookupIPsBySecID (#30919, @tklauser)
  • daemon: Mark --hubble-drop-events as alpha (Backport PR #33981, Upstream PR #33977, @joestringer)
  • daemon: Refactor syncHostIPs (#30373, @joamaki)
  • daemon: remove unnecessary method DebugEnabled (#33106, @mhofstetter)
  • daemon: remove unused method GetOptions (#33105, @mhofstetter)
  • daemon: Reserve Geneve tunnel port if enabled (#32421, @gandro)
  • datapath, bpf: Remove unnecessary IPsec code (#31344, @pchaigno)
  • datapath/fake: Move commonly imported types to fake/types package (#30523, @gandro)
  • datapath/iptables: remove unused customChain.feederArgs (#31876, @tklauser)
  • datapath/linux: Convert to slog logging (#33121, @joamaki)
  • datapath: add more nat/overlay/nodeport hooks (#30888, @jibi)
  • datapath: clean up unused SECLABEL_NB (#33211, @julianwiedmann)
  • datapath: Enable N/S LB for overlapping pod CIDR (#30348, @jibi)
  • datapath: Remove LoadBalancerNodeAddresses & LocalAddresses methods (#30458, @joamaki)
  • datapath: Replace gocheck with built-in go test (#32259, @sayboras)
  • datapath: report distinct drop reason for missed endpoint policy tailcall (#32151, @julianwiedmann)
  • datapath: trivial cleanups for KPR config handling (#32453, @julianwiedmann)
  • Deactivated Grafana reporting in monitoring example yaml. (#31989, @mvtab)
  • Defines the cilium-envoy image used in the build Dockerfile using ARG to allow overrides. (#29638, @EricMountain)
  • dep: Bump grpc_health_probe to v0.4.24 (#30643, @ferozsalam)
  • deps, renovate: Update GoBGP to v3.26.0 & re-enable updates by renovate (#32306, @rastislavs)
  • dev: Clean-up development setup (#32277, @sayboras)
  • dev: Enable IPv6 system setting for devcontainer environment. (#31268, @fujitatomoya)
  • devices: Fix panic in tests when logger used after stopping (#32551, @joamaki)
  • devices: Use slog instead of logrus (#32469, @joamaki)
  • Doc fix: Correct hubble exporter config lines (#30424, @saintdle)
  • doc,bgpv1: Add documentation about the address family option (#30455, @YutaroHayakawa)
  • doc,bgpv1: Add some failure scenarios (#31249, @YutaroHayakawa)
  • doc,bgpv1: Bootstrap BGP Control Plane troubleshooting doc (#30506, @YutaroHayakawa)
  • doc,bgpv1: Bootstrapping BGP CPlane failure scenario doc (#31153, @YutaroHayakawa)
  • doc,bgpv1: More failure scenario and wording improvement (#31470, @YutaroHayakawa)
  • doc,bgpv1: Refresh BGP Control Plane document structure (#30345, @YutaroHayakawa)
  • doc: Add Azure CNI Powered by cilium as external installer (#28286, @tamilmani1989)
  • doc: Add doc for disk based cilium network policy (Backport PR #33941, Upstream PR #33854, @tamilmani1989)
  • doc: Added doc for ingress/GwAPI host network mode (#31839, @PhilipSchmid)
  • doc: Clarified GwAPI KPR prerequisites (#31366, @PhilipSchmid)
  • doc: Document APAC community meeting (#31461, @YutaroHayakawa)
  • doc: Installation guide for Talos (#30388, @PhilipSchmid)
  • doc: List L2LB LB class to LB IPAM doc (#33031, @PhilipSchmid)
  • doc: Rework the AKS tabs so that only instructions for BYOCNI remain. (#28933, @tamilmani1989)
  • doc: Update doc for CRD CiliumNodeConfig from v2alpha1 to v2 (#33167, @doniacld)
  • doc: Update recommended way for installing cilium on AKS (#28910, @tamilmani1989)
  • doc: Updated RKE/Rancher guides (#30178, @PhilipSchmid)
  • docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #33804, Upstream PR #33655, @aditighag)
  • docs: Add annotation for Ingress endpoint (#32284, @sayboras)
  • docs: Add command hints in make kind output (#30564, @sayboras)
  • docs: Add connectivity perf test introduction as a part of e2e tests. (#31731, @fujitatomoya)
  • docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (#30236, @soggiest)
  • docs: add EnableDefaultDeny documentation (#32097, @squeed)
  • docs: Add example for kube-apiserver entity policy (#32278, @joestringer)
  • docs: add link to sig-policy meeting (#32340, @squeed)
  • docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR #33804, Upstream PR #33725, @brb)
  • Docs: add note about AKS kube-apiserver entity (#32464, @darox)
  • docs: Add note about WG and MTU with CNI chaining (#33429, @brb)
  • Docs: add note on matchExpressions for cnp and ccnp (#30811, @darox)
  • docs: Add Port Range Information (Backport PR #33630, Upstream PR #33389, @nathanjsweet)
  • docs: Add reference to BGP Control Plane from Multi-Pool IPAM page (#30748, @rastislavs)
  • docs: Add stubs for v1.16 upgrade notes (#29903, @joestringer)
  • docs: Add table for which pkts are encrypted with WG (#31557, @brb)
  • docs: add upgrade note for dangling cidrGroupRefs (Backport PR #33630, Upstream PR #33445, @bimmlerd)
  • docs: Add user manual how to enable and configure multicast feature. (#32612, @fujitatomoya)
  • docs: add Veepee as cilium USERS (#30913, @nerzhul)
  • Docs: Adds IPv6 Tunneling Caveat to Networking Concepts (#30364, @danehans)
  • docs: aks: avoid overlapping service and pod CIDRs (#31543, @bimmlerd)
  • docs: Clarify that --labels does not override default set (#32445, @christarazi)
  • docs: clean up example yaml for L4 Deny Policy (#32015, @huntergregory)
  • docs: Clean-up Host Firewall documentation, list known issues (#32267, @qmonnet)
  • docs: cleanup upgrade docs on 1.16 (#33703, @marseel)
  • docs: Correct dynamic hubble exporter sample configs example (#31445, @littlesheng19)
  • docs: Correct name of "cert-manager" in tab groups (#31929, @JamesLaverack)
  • docs: Describe fqdn cache entry expiration timers (#32350, @joestringer)
  • docs: Document No node ID found drops in case of remote node deletion (#31635, @pchaigno)
  • docs: Document build framework for docs (#32006, @qmonnet)
  • docs: Document enable-node-selector-labels flag (#31188, @oblazek)
  • docs: Document NodePort BPF and iptables SNAT port collision (#30858, @brb)
  • docs: Document plus sign in IPsec secret (Backport PR #33630, Upstream PR #33564, @pchaigno)
  • docs: Document renovate testing strategy (#30166, @joestringer)
  • docs: Document XfrmInStateInvalid errors (#30151, @pchaigno)
  • docs: egressgw: describe routing on Gateway node (#30488, @julianwiedmann)
  • docs: egressgw: remove kernel requirement (#33064, @julianwiedmann)
  • docs: Extend LRP guide with troubleshooting section (#33373, @aditighag)
  • docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (#30462, @saintdle)
  • docs: Fix a spelling mistake in BGP docs (#33328, @saintdle)
  • docs: fix chained veth plugin example (#30209, @squeed)
  • docs: Fix CRD compatibility table references (#32859, @joestringer)
  • docs: Fix keyid derivation in IPsec docs (#30000, @brb)
  • docs: Fix literals formatting in Envoy documentation by replacing straight quotes with back quotes (#32953, @hacktivist123)
  • docs: Fix pep-8 style for conf.py (#32009, @joestringer)
  • docs: Fix profiling related debugging instructions (#31044, @aditighag)
  • docs: Fix prometheus port regex (#32030, @JBodkin-Amphora)
  • docs: Fix style pitfalls in the ClusterMesh guide (#32320, @network-charles)
  • docs: Fix various typos in README.rst (#31072, @payneInTheBrian)
  • docs: generalize version specific notes section (Backport PR #33941, Upstream PR #33888, @giorio94)
  • docs: Improve CiliumEndpointSlice documentation to prepare graduation to "Stable" (#31800, @antonipp)
  • Docs: improve Flatcar section (#31986, @darox)
  • docs: Improve Ingress documentation (Backport PR #33804, Upstream PR #33698, @youngnick)
  • docs: Improve note on kube-apiserver entity limitations (#33382, @gandro)
  • docs: ipsec: document native-routing + Egress proxy case (#31478, @julianwiedmann)
  • docs: ipsec: mention dependency on transparent mode for DNS proxy (#33062, @julianwiedmann)
  • docs: ipsec: remove limitation for native-routing with L7 egress policy (#32906, @julianwiedmann)
  • docs: kpr: DSR-Geneve with native-routing requires tunnelProtocol (#30854, @julianwiedmann)
  • docs: Make ICMP rules for the Host Firewall easier to read/search (#31900, @qmonnet)
  • Docs: mark Tetragon as Stable (#31886, @sharlns)
  • docs: minor updates for Egress Gateway (#33060, @julianwiedmann)
  • docs: remove beta from local redirect policy page (Backport PR #33630, Upstream PR #33498, @ysksuzuki)
  • docs: Remove CNCF graduation from the roadmap (Backport PR #33804, Upstream PR #33680, @joestringer)
  • docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #33804, Upstream PR #33626, @giorio94)
  • docs: Remove outdated note on IPv6 BPF masqerading being incompatible with the Host Firewall (#32685, @qmonnet)
  • Docs: restructure Cluster Mesh scaling section (#30582, @thorn3r)
  • docs: Suggest using operator logs for troubleshooting (#31500, @simonfelding)
  • docs: Update Gateway API version in example (#30115, @sayboras)
  • docs: Update link to cilium/ebpf's list of eBPF program types (#31699, @haiyuewa)
  • docs: Update link to USERS.md in README from RAW Github to standard Github UI (#30589, @ondrejsika)
  • docs: Update LLVM requirement to LLVM 17 (#32236, @pchaigno)
  • docs: Update LVH VM image pull instructions (Backport PR #33804, Upstream PR #33621, @brb)
  • docs: update note on WireGuard with tunnel routing (#31083, @julianwiedmann)
  • docs: Update the Gateway API badge (#30477, @sayboras)
  • docs: Updating Azure CNI chaining as Legacy approach (#28571, @vipul-21)
  • docs: Warn on key rotations during upgrades (#31437, @pchaigno)
  • docs: warn users that IPsec and KPR are mutual exclusive (#30403, @f1ko)
  • Document Cluster Mesh global services limitations when KPR=false (#31798, @giorio94)
  • Document configuring hubble metrics with TLS (Backport PR #33941, Upstream PR #33661, @chancez)
  • Document dev cycle and feature freeze (#32929, @joestringer)
  • Document supported upgrade and rollback paths (#30408, @lmb)
  • Document the process for disabling workflows (#31603, @michi-covalent)
  • Documentation update for BGPv2 transport configuration (#33307, @dswaffordcw)
  • Documentation: accept ORG and REPO (Backport PR #33630, Upstream PR #33514, @aanm)
  • Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #33804, Upstream PR #33708, @Mais316)
  • Documentation: Add troubleshooting section to L2 Announcements (#33386, @dylandreimerink)
  • documentation: embed eCHO episodes in Cilium docs (#32907, @hacktivist123)
  • Don't emit an error message on namespace termination due to Ingress reconciliation (#30808, @giorio94)
  • Don't expand CIDR labels, match smartly in Labels instead (#30897, @squeed)
  • Downgrade L2 Neighbor Discovery failure log to Debug (#31179, @YutaroHayakawa)
  • Drop broken and superseded CiliumInternalIP restoration logic (#30436, @giorio94)
  • Drop gopsutil dependecy (#30222, @nickolaev)
  • Drop unused service-related test helpers (#32002, @giorio94)
  • egressgw: improvements for FIB-driven redirect path (#30576, @julianwiedmann)
  • egressgw: minor bpf refactors (#32094, @julianwiedmann)
  • egressgw: Miscellaneous minor fixes to the manager (#31869, @pippolo84)
  • egressgw: reject config with EnableIPv4Masquerade false (#32150, @ysksuzuki)
  • egressgw: remove deleteStaleIPRulesAndRoutes() (#30025, @julianwiedmann)
  • egressgw: remove gwc.ifaceName (#32321, @julianwiedmann)
  • egressgw: remove nodeDataStore map from Manager (#30500, @markpash)
  • egressgw: skip gressgw handling if the packet is from host (#33148, @ysksuzuki)
  • egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP (#32868, @pippolo84)
  • endpoint / ApplyPolicyMapChanges: fix incorrect comment (#31790, @squeed)
  • endpoint: clean up unused code (#32081, @tklauser)
  • endpoint: Fix Policy Sync Method (#33146, @nathanjsweet)
  • endpoint: move locking into getProxyStatistics (#30414, @tklauser)
  • endpoint: pause policymap-sync controller during regeneration (#30232, @squeed)
  • endpoint: remove unused parameter from Add/NewEndpoint functions (#33071, @mhofstetter)
  • endpoint: Skip build queue warning log is context is canceled (#32132, @jrajahalme)
  • endpoint: skip Envoy incremental updates if no Envoy redirects (#31454, @squeed)
  • endpoint: skip Envoy incremental updates if no Envoy redirects (try 2) (#31775, @squeed)
  • endpoint: store state in ep_config.json (#31559, @lmb)
  • endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set (#31021, @jibi)
  • endpoint: Use resolved named port also in the proxy stats (#29813, @jrajahalme)
  • endpointmanager: Improve health reporter messages when stopped (#31231, @christarazi)
  • endpointmanager: Skip warning logs for endpoints being removed (#32619, @jrajahalme)
  • Ensure wireguard.h includes the correct headers (#30539, @ldelossa)
  • envoy: add support to bind to privileged ports (#32158, @mhofstetter)
  • envoy: Bump golang version to 1.21.8 (#31224, @sayboras)
  • envoy: Call given callback also when reusing a listener (#32974, @jrajahalme)
  • envoy: cleanup istio specifics (#31448, @mhofstetter)
  • Envoy: Extract Secret Sync from global k8swatcher (#30418, @mhofstetter)
  • envoy: move config values from global config into hive cell (#31351, @mhofstetter)
  • envoy: Remove deprecated runtime key logs (#31108, @sayboras)
  • envoy: Remove un-necessary warning log filtering (#33013, @sayboras)
  • envoy: support configurable Envoy base id in embedded mode (#31449, @mhofstetter)
  • envoy: Update to use original source address also for external destinations (#32331, @jrajahalme)
  • examples: Fix subject selector in ingress policy (#33292, @joestringer)
  • Expose Cilium operator go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#29245, @derailed)
  • Expose clustermesh global service cache and hooks in the operator to prepare for MCS-API support (#32287, @MrFreezeex)
  • Expose clustermesh ServicesSynced method from endpointslicesync ClusterMesh (#32538, @MrFreezeex)
  • Extend kind-clustermesh Makefile target to create dual stack clusters (#30129, @giorio94)
  • Extract clustermesh logic in the operator in a generic package (#32979, @MrFreezeex)
  • fix 'mismatch' typos in error messages (#31660, @julianwiedmann)
  • Fix a few issues with the newly added MCS-API controllers (#32555, @MrFreezeex)
  • Fix bandwidth manager reconciler config (#32952, @dylandreimerink)
  • Fix cilium-envoy ServiceMonitor template typo (#29976, @cornfeedhobo)
  • Fix CiliumEnvoyConfig Nodeport handling again (#33266, @youngnick)
  • Fix container/bitlpm traversal (Backport PR #33630, Upstream PR #33447, @jrajahalme)
  • Fix crash caused while deleting LRPs with skipRedirectFromBackend flag set to true. (#32822, @aditighag)
  • Fix failure in FuzzDenyPreferredInsert test (#30368, @christarazi)
  • Fix for small typos on documentation (Backport PR #33941, Upstream PR #33853, @beyildirim)
  • Fix helm chart incompatible types for comparison (#32025, @lou-lan)
  • Fix helm template for hubble-relay prometheus annotations (#31253, @glrf)
  • Fix issue where ec2-api-endpoint config would use the incorrect API endpoint. (Backport PR #33804, Upstream PR #33598, @archerwu9425)
  • fix link in node-ipam.rst (Backport PR #33630, Upstream PR #33505, @saintdle)
  • Fix loading of program cil_sock{4,6}_connect due to verifier complexity issue on certain kernels. (Backport PR #33804, Upstream PR #33709, @aditighag)
  • Fix log error in clustermesh-apiserver when connecting external workloads (#29896, @giorio94)
  • Fix regression causing a 10x increase in the duration of endpoint integration tests (#29826, @giorio94)
  • Fix regression with ClusterMesh deployments failing to provision the clustermesh-apiserver Service in some cloud provider environments due to not support session affinity (#32657, @thorn3r)
  • Fix renovate config for grpc_health_probe (#30675, @glrf)
  • Fix renovate's concurrency group (Backport PR #33560, Upstream PR #33528, @aanm)
  • Fix running tests locally in kind. (#31234, @gentoo-root)
  • Fix spelling in DNS-based proxy info (#31728, @saintdle)
  • Fix threat model typo (#32752, @ferozsalam)
  • Fix typo in Multicast feature documentation (Backport PR #33846, Upstream PR #33773, @superbananaman)
  • Fix unnecessary warning by adding cilium_per_cluster_snat to the list of ignored ELF prefixes (#30998, @giorio94)
  • fix(deps): update all go dependencies main (main) (#29941, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#30199, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#30947, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31112, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31278, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31441, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31462, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31578, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31853, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#31952, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32106, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32222, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32256, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32362, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32490, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32509, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32622, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32717, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32743, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32856, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (#32987, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#33133, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#33172, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#33200, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (#33359, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30047, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30122, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30385, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30482, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30626, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#30848, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29947, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30045, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30077, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30140, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30393, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#30625, @renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (#32988, @cilium-renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (#33213, @cilium-renovate[bot])
  • fix(deps): update google.golang.org/genproto/googleapis/rpc digest to a219d84 (main) (#31305, @renovate[bot])
  • fix(deps): update google.golang.org/genproto/googleapis/rpc digest to c811ad7 (main) (#31322, @renovate[bot])
  • fix(deps): update kubernetes packages to v0.30.2 (main) (#33299, @cilium-renovate[bot])
  • fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.681 (main) (#30976, @renovate[bot])
  • fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.731 (main) (#32377, @renovate[bot])
  • fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.748 (main) (#32736, @renovate[bot])
  • fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.0 (main) (#33134, @cilium-renovate[bot])
  • fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.1 (main) (#33173, @cilium-renovate[bot])
  • fix(deps): update module github.com/docker/docker to v25 (main) (#30395, @renovate[bot])
  • fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] (main) (#31531, @renovate[bot])
  • fix(deps): update module github.com/go-openapi/runtime to v0.27.1 (main) (#30481, @renovate[bot])
  • fix(deps): update module github.com/hashicorp/go-hclog to v1.6.3 (main) (#33371, @cilium-renovate[bot])
  • fix(deps): update module github.com/tidwall/gjson to v1.17.1 (main) (#30836, @renovate[bot])
  • fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (#29971, @renovate[bot])
  • fix(deps): update module golang.org/x/crypto to v0.20.0 (main) (#30987, @renovate[bot])
  • fix: Adding the fatal error for ipv6 cilium config on a single stack node (#28953, @vipul-21)
  • fix: close verifier.log (#32018, @testwill)
  • fix: deduplicate ConfigMap key if ENI mode and endpointRoutes are enabled (#31891, @remi-gelinas)
  • fix: remove help message in build config failure (#28974, @vipul-21)
  • Fixes redundant space on the introduction page (intro.rst) (#32206, @network-charles)
  • fqdn: Change error log to warning (#32333, @jrajahalme)
  • fqdn: Exit go routines early if datapath update times out (#33086, @gandro)
  • fqdn: Fix notifyOnDNSMsg benchmark (#32454, @pippolo84)
  • fqdn: Fix Upgrade Issue Between PortProto Versions (#32325, @nathanjsweet)
  • fqdn: serialize requests per-name (#30109, @squeed)
  • fqdn: Skip "open ports" check for statically configured ports (#33230, @gandro)
  • fqdn: skip ipcache insertion for names without fqdn selectors (#30110, @squeed)
  • FQDN: some small performance optimizations around logging (#32049, @squeed)
  • fqdn: updating the variable name in fqdn (#32298, @vipul-21)
  • fswatcher: fix goroutine leak and refactor tests (#30734, @lmb)
  • gateway-api: Bump to the latest version from upstream (#30537, @sayboras)
  • gateway-api: Replace deprecated status (#31111, @sayboras)
  • gateway-api: Update docs for v1.1.0 (#33119, @sayboras)
  • gh/actions: Bump CLI to v0.16.6 (#32271, @brb)
  • gh: template: query whether the bug is a regression (#30842, @julianwiedmann)
  • gha: Enable Envoy debug in default Cilium options (#32334, @jrajahalme)
  • gha: Update kube-proxy-replacement flag values (#30483, @sayboras)
  • go.mod: Bump controller-tools fork version to v0.8.0-2 to allow XValidation kubebuilder markers (#30362, @rastislavs)
  • golangci: Enable errorlint (#31458, @jrajahalme)
  • Grant the CiliumEndpointSlice controller a new Clientset to decouple it from the other Cilium Operator controllers. (#32353, @thorn3r)
  • healthv2: Various fixes (#32549, @joamaki)
  • Helm: additional info for mtu value (#30175, @darox)
  • helm: Allow socket linger timeout to be set to zero (Backport PR #33941, Upstream PR #33887, @gandro)
  • helm: Allow unsupported K8s versions for now (#29888, @gandro)
  • helm: Bump helm-toolbox version (#30148, @sayboras)
  • helm: don't create remote-users ConfigMap when the clustermesh-apiserver is not enabled (#30008, @giorio94)
  • helm: drop IDENTITY_ALLOCATION_MODE environment variable from clustermesh-apiserver (#33191, @giorio94)
  • Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (#29674, @giorio94)
  • helm: no operator hostPorts when hostNetwork is disabled (#32127, @balous)
  • helm: Permit selection of datasources in UI (#30161, @jcpunk)
  • helm: Remove CILIUM_BRANCH variable (#32776, @michi-covalent)
  • helm: Remove pipe in value comments to avoid breaking Helm reference (#31588, @qmonnet)
  • helm: uniform CA generation for hubble and clustermesh (#33024, @giorio94)
  • helm: update nodeinit image using renovate (#31641, @tklauser)
  • hive/cell/health: don't warn when reporting on stopped reporter. (#31262, @tommyp1ckles)
  • hive: Add post-start log message to record duration (#30521, @joamaki)
  • hive: cast ModuleID to string (#32392, @bimmlerd)
  • hive: Fix hive hook output and move lifecycle to cell package (#30416, @joamaki)
  • hive: Fix the ineffectual SetEnvPrefix (#30489, @joamaki)
  • hive: Fixed copy-paste error in reconciler.Metrics implementation (#33374, @dylandreimerink)
  • hive: Rebase on cilium/hive (#32020, @bimmlerd)
  • hive: Reduce hive trace logs to debug level (#32033, @joestringer)
  • hubble, policy: shuffle types to reduce imports (#32378, @squeed)
  • hubble-ui: release v0.12.3 (#30422, @geakstr)
  • hubble/relay/server: remove unused Server.stop chan (#31560, @tklauser)
  • hubble: Add an interface for Parser struct (#29876, @anubhabMajumdar)
  • hubble: Reduce "stale identities observed" debug messages even more (#29957, @gandro)
  • hubble: Support --cel-expression filter in hubble observe (#32147, @chancez)
  • identity: Ensure checkpoint runs on shutdown (#33272, @gandro)
  • identity: stop double-update of selector cache and regenerate when a local identity is allocated (#29865, @squeed)
  • Ignore kvstore node events for the local node, to avoid unnecessarily increasing the ipcache_errors_total (cannot_overwrite_by_source) metric. (#31399, @giorio94)
  • images/builder: get rid of annoying git ownership warnings (#31538, @ti-mo)
  • images/builder: let renovate update protoc and proto plugins (#32739, @rolinh)
  • images/cilium: Move Envoy reference away from builder and runtime (#32452, @jrajahalme)
  • images: bump cni plugins to v1.4.1 (#31347, @aanm)
  • images: Regenerate api/v1 when updating builder (#32804, @joestringer)
  • images: support release branches when updating envoy image (#30463, @mhofstetter)
  • images: Update bpftool, checkpatch images (#31753, @qmonnet)
  • images: Update LLVM to 17.0.6 (#31418, @gentoo-root)
  • ImmSet optimisation for multi inserts or multi deletions (#33138, @DamianSawicki)
  • Improve compatibility with LLVM 17. (#31403, @gentoo-root)
  • Improve compatibility with LLVM 17. (#31459, @gentoo-root)
  • Improve compatibility with LLVM 17. (#31849, @gentoo-root)
  • Improve compatibility with LLVM 18. (#32918, @gentoo-root)
  • Improve dev-doctor version detection and error reporting (#32035, @joestringer)
  • Improve insertNodeNeighbor behavior to report health (#29415, @derailed)
  • Improve LocalNodeStore.Get() performance and fix possible deadlock (#31013, @giorio94)
  • Improve release organization page (#31970, @joestringer)
  • Increase usability of Makefile.override (#32660, @learnitall)
  • ingress/gateway-api: stable address order for Ingress hostnetwork listener addresses (#31477, @mhofstetter)
  • ingress/gatewayapi: move construction of translators into hive cells (#30606, @mhofstetter)
  • ingress: Add CNP example for default deny (#31436, @sayboras)
  • ingress: change hostnetwork default port to unprivileged 8080 (#32159, @mhofstetter)
  • ingress: Copy LB IPAM related annotation by default (#30487, @sayboras)
  • ingress: Correct FromGroups rule Parsing (#32231, @Alex-Waring)
  • ingress: move flag ingress-default-xff-num-trusted-hops to cell config (#32190, @mhofstetter)
  • ingress: pass enforcedHttps from config (cell) to reconciler (#30804, @mhofstetter)
  • ingress: remove json struct tags from internal ingress translation model (#31659, @mhofstetter)
  • ingress: remove unused annotations (#30733, @mhofstetter)
  • ingress: sort all shared ingresses during model generation (#31494, @mhofstetter)
  • ingress: Update docs with network policy example (#31060, @sayboras)
  • install/kubernetes: add AppArmor profile to Cilium Daemonset (#32199, @aanm)
  • install/kubernetes: update nodeinit image to latest version (#32181, @tklauser)
  • install/kubernetes: update nodeinit image to latest version (#33427, @marseel)
  • install: Update image digests for v1.16.0-rc.1 (#33464, @joestringer)
  • install: Update image digests for v1.16.0-rc.2 (#33832, @cilium-release-bot[bot])
  • Introduce clustermesh source to differentiate data retrieved from remote clusters (#32688, @giorio94)
  • Introducing stylecheck linter to detect duplicate package imports in Go code (#30215, @nickolaev)
  • ipam/crd: remove redundant len and nil check (#30183, @Juneezee)
  • ipam: cell for IPAM and IPAMRestAPIHandler (#33089, @mhofstetter)
  • ipam: lower loglevel from error to warn if eni link list can't be listed (#32602, @mhofstetter)
  • IPAM: Refactors Node API Types to Support Separate IP Families (#30684, @danehans)
  • ipam: Remove unused variable (#31401, @christarazi)
  • ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (#33120, @squeed)
  • ipcache: Introduce the ability to inherit CIDR prefixes (#32578, @gandro)
  • ipcache: Only update policy maps for new identities (#32628, @gandro)
  • ipcache: Remove synchronous CIDR identity allocation (#31311, @gandro)
  • ipcache: Replace gocheck with built-in go test (#32283, @sayboras)
  • ipsec: Debug info for transient IPsec upgrade drops (#32240, @pchaigno)
  • ipsec: minor cleanups (#31390, @julianwiedmann)
  • ipsec: support EncryptedOverlay XFRM policies (#31757, @harsimran-pabla)
  • iptables: Do not set no-track rules with empty native routing CIDR (#32648, @pippolo84)
  • iptables: early skip proxy rules install if BPF tproxy enabled (#30347, @mhofstetter)
  • iptables: Manage IP sets independently with the stateDB reconciler (#31099, @pippolo84)
  • iptables: Remove unneeded cell.Health param (#32853, @pippolo84)
  • iptables: Simplify proxy rules removing ingress/egress flag (#31068, @pippolo84)
  • iptables: Unit tests cleanup (#31368, @pippolo84)
  • job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (#30929, @bimmlerd)
  • k8s/slim: Clarify instructions for updating slim files (#29877, @christarazi)
  • k8s/watcher: remove always-nil error return values (#32663, @tklauser)
  • k8s: Add new fields into slim Service/Endpoint/EndpointSlice structs (#32754, @sayboras)
  • k8s: cleanup k8s watcher (#32790, @mhofstetter)
  • k8s: Fix envoyConfig description on CNP/CCNP CRDs (#29507, @hmonsalv)
  • k8s: Fix usage of assert in TestWaitForCacheSyncWithTimeout (#33139, @pippolo84)
  • k8s: Migrate policy watchers to Cell + Resource (#30322, @gandro)
  • k8s: modularize k8s watcher (#32878, @mhofstetter)
  • k8s: remove unused method NewStandaloneClientset (#33055, @mhofstetter)
  • k8s: remove unused policyRepository from k8swatcher (#32773, @mhofstetter)
  • k8s: Replace gocheck with built-in go test (#32211, @sayboras)
  • k8s: Update to final v1.29.0 (#29873, @christarazi)
  • k8s: use netip.IPv{4,6}Unspecified (#32818, @tklauser)
  • k8s: use cilium slices sort utility to sort Pod IP's from status (#32697, @mhofstetter)
  • kind: reset sysctl net.ipv4.ip_unprivileged_port_start to 1024 (#31370, @mhofstetter)
  • kvstore: always use scoped logger to distinguish different client instances (#32087, @giorio94)
  • kvstore: correctly assign permissions to single key, rather than prefix (#33140, @giorio94)
  • kvstore: Replace gocheck with built-in go test (#32261, @sayboras)
  • l2announcer: Fix delete entry if no origins left (#32279, @wutz)
  • l2announcer: Use the device table to access devices (#31931, @joamaki)
  • l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (#32200, @mhofstetter)
  • L7LB: Extract Envoy related logic and dependencies from ServiceManager (#30184, @mhofstetter)
  • l7lb: log service ns and name when upserting endpoints (#30502, @mhofstetter)
  • labels: small optimization in NewFrom and various cleanups (#30006, @tklauser)
  • lb: Replace gocheck with built-in go test (#32282, @sayboras)
  • lbipam: copy slice before modification in (*LBIPAM).handlePoolModified (#30859, @tklauser)
  • lint: Remove temp variable in the 'for' loop (#31523, @sayboras)
  • Loader modularization (#30280, @dylandreimerink)
  • Loader reconciliation preparatory changes (#31773, @dylandreimerink)
  • loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (#30214, @ti-mo)
  • loader: add message if error is ENOTSUP (#31413, @kkourt)
  • loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (#31025, @julianwiedmann)
  • loader: cache parsed CollectionSpec (#32962, @lmb)
  • loader: don't disable rp-filter for IPsec (#32546, @julianwiedmann)
  • loader: fetch iface just once in patchHostNetdevDatapath() (#32541, @julianwiedmann)
  • loader: misc fixes (#32520, @lmb)
  • loader: move Loader interface into separate package (#30876, @jibi)
  • loader: refactor replaceDatapath to loadDatapath (#32518, @ti-mo)
  • loader: refactor/cleanup replaceNetworkDatapath (#29825, @rgo3)
  • loader: remove CompileAndLoad (#31792, @lmb)
  • loader: remove datapathSHA256 (#32700, @lmb)
  • loader: Remove out-of-band data access (#32706, @joamaki)
  • loader: Replace gocheck with built-in go test (#32220, @sayboras)
  • loader: rewrite tests to remove gocheck dependency (#31841, @lmb)
  • loader: simplify template cache invalidation (#29449, @lmb)
  • logging: Pass debug to slog as well (#32982, @jrajahalme)
  • Low hanging fruit performance improvements of KVStoreMesh (Backport PR #33804, Upstream PR #33637, @giorio94)
  • LRP: Add explicit dependency to k8s ServiceCache (#32796, @mhofstetter)
  • LRP: Misc fix-ups (Backport PR #33630, Upstream PR #33442, @aditighag)
  • lrp: move api handler from daemon to lrp hive cell (#33102, @mhofstetter)
  • LRP: Use hive cell infra (#30923, @aditighag)
  • lxcmap: Fix comment about byte-order (#31362, @joestringer)
  • MAINTAINERS: Add Yutaro (#29982, @pchaigno)
  • make cilium/loader owner of pkg/elf (#29915, @lmb)
  • Make it clear USERS.md should be production use cases (#31316, @xmulligan)
  • makefile: check for $(CILIUM_CLI) dependency (#32424, @msune)
  • Makefile: Move kind targets to dedicated Makefile.kind (#29920, @qmonnet)
  • Makefile: Refactor hubble-relay target (#29867, @chancez)
  • Makefile: Replace release target (#32322, @joestringer)
  • Makefile: Run generate-k8s-api in builder image (#32063, @joestringer)
  • Makefile: suppress error in comment line. (#33334, @paulosjca)
  • Makefiles: Allow external input for go build/test/clean flags. (#29646, @wanlin31)
  • maps: nat: remove rtp.log (#32945, @julianwiedmann)
  • metallb bgp: introduce hive cell (#32806, @mhofstetter)
  • metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (#29343, @tommyp1ckles)
  • Misc BGP Control Plane documents (#31670, @YutaroHayakawa)
  • Misc build system improvements (#32408, @joestringer)
  • Miscellaneous cleanups around node discovery (#31397, @giorio94)
  • Miscellaneous fixes in the usage of Makefile.override and build modifiers (#33129, @giorio94)
  • Miscellaneous improvements about closing kvstore client. (#33250, @giorio94)
  • Miscellaneous improvements to clustermesh-related troubleshooting tools (#32951, @giorio94)
  • Miscellaneous improvements to the clustermesh troubleshooting guide (#32552, @giorio94)
  • Modify gitignore to ignore direnv-related files (#30366, @learnitall)
  • modularize node discovery (#31589, @dylandreimerink)
  • Modularize stale endpoint gc in an independent cell (#29246, @pippolo84)
  • monitor/payload: remove bitrotted benchmark (#29728, @lmb)
  • Move governance docs to the Cilium community repo (#31692, @katiestruthers)
  • multicast: check support for batch lookup (#31892, @harsimran-pabla)
  • multicast: modify list operations from iterator to batch lookup. (#31562, @harsimran-pabla)
  • node-manager: fix race-condition (#32606, @marseel)
  • node: add support for injection of optional ipset filter (#31550, @giorio94)
  • node: Replace ipv[46]MasqAddrs with Table[NodeAddress] (#30457, @joamaki)
  • operator/bgpv2: Fix CiliumBGPNodeConfig OwnerReference & job health reporting (#32000, @rastislavs)
  • operator/identitygc: Disable identitygc when Operator manages CID (#33381, @ovidiutirla)
  • operator/identitygc: remove unused GC.allocationCfg (#30197, @tklauser)
  • operator: Implement cache to be used for Cilium Identity management (#30649, @dlapcevic)
  • operator: include CRD categories when applying cilium CRDs (#33387, @mhofstetter)
  • operator: Remove deprecated CES sync errors metric (#33305, @christarazi)
  • operator: Replace gocheck with built-in go test (#32215, @sayboras)
  • optimize kind setup (#29758, @weizhoublue)
  • option: Make TestDaemonConfig_StoreInFile less brittle (Backport PR #33804, Upstream PR #33608, @jrajahalme)
  • Output the etcd cluster ID as part of the remote cluster status information (#32341, @giorio94)
  • Overall improvements in modularity (#30381, @aanm)
  • pkg/bgp: Replace gocheck with built-in go test (#32263, @sayboras)
  • pkg/cgroups: Cache pod metadata on datapath events (#32615, @aditighag)
  • pkg/cgroups: Remove noisy log (#32613, @aditighag)
  • pkg/clustermesh: Replace gocheck with built-in go test (#32221, @sayboras)
  • pkg/egressgateway: Replace gocheck with built-in go test (#32295, @sayboras)
  • pkg/endpoint: clean up DatapathRegenerationLevel (#32604, @lmb)
  • pkg/endpoint: do not rely on bpf_host.o to detect host endpoint (#32521, @lmb)
  • pkg/endpoint: make state synchronization atomic (#32439, @lmb)
  • pkg/endpoint: Replace gocheck with built-in go test (#32262, @sayboras)
  • pkg/endpoint: store template hash in template.txt (#33252, @lmb)
  • pkg/envoy: Replace gocheck with built-in go test (#32280, @sayboras)
  • pkg/fqdn: Replace gocheck with built-in go test (#32281, @sayboras)
  • pkg/identity: Move GetCIDKeyFromK8sLabels to GlobalIdentity (#32960, @ovidiutirla)
  • pkg/identitybackend: Make sanitizeK8sLabels method public (#32958, @ovidiutirla)
  • pkg/ip: Updates PrefixToIps() to Limit the Number of Returned IPs (#30921, @danehans)
  • pkg/ipam: Replace gocheck with built-in go test (#32227, @sayboras)
  • pkg/ipcache: Updates IPListEntrySlice.Less() to Use netip Pkg (#30191, @danehans)
  • pkg/k8s: Add required resources for Operator managing CIDs (#33021, @ovidiutirla)
  • pkg/metrics: Replace gocheck with built-in go test (#32226, @sayboras)
  • pkg/policy: Replace gocheck with built-in go test (#32223, @sayboras)
  • pkg/service: Add backends as managed neighbor entry (#31003, @borkmann)
  • pkg: Add Bitwise LPM Trie Library (#29717, @nathanjsweet)
  • pkg: Fix Deny Insert Fuzz Test (#32656, @nathanjsweet)
  • Policy catch invalid port wildcard (#33302, @jrajahalme)
  • Policy repository: use SelectorCache to determine subject pods (#32849, @squeed)
  • policy/k8s: Fix bug where policy synchronization event was lost (#32028, @gandro)
  • policy/k8s: Fix deadlock in ToServices implementation (Backport PR #33825, Upstream PR #33739, @gandro)
  • policy/k8s: Fix race in service notification shutdown (Backport PR #33838, Upstream PR #33806, @gandro)
  • policy/k8s: Refactor and move ToServices translation to policy package (#31062, @gandro)
  • policy: Add Port Range Support for Policies Part 1 (#32430, @nathanjsweet)
  • policy: Add Port Range Support for Policies Part 2/3 (#32675, @nathanjsweet)
  • policy: expand "world" entity selector to select all address families (#29958, @squeed)
  • policy: Fix mapstate.Diff() used in tests (Backport PR #33630, Upstream PR #33449, @jrajahalme)
  • policy: fix client side validation of policies in policy import/validate command (#31924, @oblazek)
  • policy: Fix Distillery Tests (#33037, @nathanjsweet)
  • policy: fix flaky unit test (#32808, @squeed)
  • policy: Fix MapState.Equals() (#30233, @jrajahalme)
  • policy: Fix missing labels from SelectorCache selectors (#31358, @christarazi)
  • policy: Keep deny entries when covered by another CIDR deny (#33719, @jrajahalme)
  • policy: Remove unused allow-remotehost-ingress derivedFrom label (#32058, @gandro)
  • policy: Replace panics with error logs with stacktrace (#33333, @jrajahalme)
  • policy: take SelectorCache read lock when applying incremental changes (#33345, @squeed)
  • Post release for 1.15.0 (#30560, @aanm)
  • precheck: Avoid using unbounded io.ReadAll func (#32967, @sayboras)
  • prefilter: move api handler from daemon to prefilter hive cell (#33104, @mhofstetter)
  • Prepare for release v1.16.0-pre.0 (#31121, @aanm)
  • Prepare for release v1.16.0-pre.1 (#31733, @joestringer)
  • Prepare for release v1.16.0-pre.2 (#32324, @joestringer)
  • Prepare for release v1.16.0-pre.3 (#32857, @aanm)
  • Prepare for release v1.16.0-rc.0 (#33207, @aanm)
  • Prepare for release v1.16.0-rc.1 (#33463, @joestringer)
  • Prepare for release v1.16.0-rc.2 (#33831, @cilium-release-bot[bot])
  • Prepare for v1.16 development cycle (#29802, @joestringer)
  • Print verbose verifier logs on verifier errors in socketlb (#31321, @gentoo-root)
  • proxy / envoy: Cleanup dependencies to XDSServer & Proxy (#29892, @mhofstetter)
  • Proxy persist proxy ports (#32973, @jrajahalme)
  • proxy: configurable portrange (#31556, @mhofstetter)
  • proxy: remove unused ifaces and code for proxy <-> endpoint interaction (#31547, @mhofstetter)
  • proxy: remove unused interface IPCacheManager (#30171, @mhofstetter)
  • README: Update releases (#30389, @gentoo-root)
  • README: Update releases (#30784, @michi-covalent)
  • README: Update releases (#31665, @thorn3r)
  • README: Update releases (#31734, @joestringer)
  • README: Update releases (#32329, @joestringer)
  • README: Update releases (#32554, @nebril)
  • README: Update releases (#32861, @aanm)
  • README: Update releases (#33049, @qmonnet)
  • README: Update releases (#33217, @aanm)
  • Readme: Updates for release 1.15.4, 1.14.10, 1.13.15 (#32098, @asauber)
  • Reconcile qdiscs accurately when using BW manager (#33161, @hemanthmalla)
  • recorder: hive cell (recorder & rest api handler) (#33114, @mhofstetter)
  • Refactor clustermesh global service cache to prepare for the endpoint slice clustermesh synchronization (#30883, @MrFreezeex)
  • Refactor getEnvoyHTTPRouteConfiguration test (#30022, @youngnick)
  • Refactor InitK8sSubsystem and adding unit tests (#31645, @anubhabMajumdar)
  • refactor: config options combined into DNS proxy config struct (#32777, @vipul-21)
  • Refactor: remove config interface (#29506, @AwesomePatrol)
  • reinstate hive health metrics (#32603, @bimmlerd)
  • release/bump-readme.sh: Don't overwrite latest -rc with older -pre tag (#30412, @qmonnet)
  • Remove HAVE_LARGE_INSN_LIMIT (#31094, @dylandreimerink)
  • Remove skip-cnp-status-startup-clean (#30508, @chaunceyjiang)
  • Remove aks-preview from AKS workflows (#32118, @marseel)
  • Remove bpf map migration mechanism to minimize bpf file system operations during endpoint regeneration (#33067, @ti-mo)
  • Remove CiliumOperatorName constant (#31597, @miono)
  • Remove hostPort dependency on BPF NodePort (#32046, @chaunceyjiang)
  • Remove Hubble-OTel from the roadmap (#31847, @xmulligan)
  • Remove Istio ambient compatibility blurb (#31525, @bleggett)
  • Remove old bpf feature probes (#31096, @dylandreimerink)
  • Remove release scripts (#32938, @aanm)
  • Remove superfluous nolint comments (#31743, @tklauser)
  • Remove tcx links created by Cilium 1.16 onwards (#31553, @ti-mo)
  • remove tracking of backports with MLH (#33123, @aanm)
  • Remove unused functions in pkg/comparator (#30075, @pippolo84)
  • Remove unused kvstore methods to unclutter the backend interface (#30012, @giorio94)
  • Remove v1.12 from Container Vulnerability Scan (#32114, @marseel)
  • Removed Cilium Operator options cnp-status-cleanup-burst and cnp-status-cleanup-qps (#32877, @marseel)
  • removed depreacted calls and added nolint for strings.Title (#32936, @yogesh1801)
  • Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (#30154, @ldelossa)
  • renovate add trusted dependencies (#33312, @aanm)
  • Renovate changes (Backport PR #33560, Upstream PR #33519, @aanm)
  • renovate: add auto-approve bot for renovate PRs (Backport PR #33641, Upstream PR #33604, @aanm)
  • renovate: Add the configuration for spire images (#33078, @sayboras)
  • renovate: don't separate minor/patch updates of Go modules (#30195, @tklauser)
  • renovate: Drop references to Cilium 1.12 (#31148, @joestringer)
  • renovate: fix config (missing comma) (#32765, @rolinh)
  • renovate: ignore dependency github.com/google/go-licenses (#32848, @rolinh)
  • renovate: match rhel8 lvh image updates (#30891, @tklauser)
  • renovate: onboard etcd image used in integration tests (Backport PR #33804, Upstream PR #33679, @giorio94)
  • renovate: prevent upgrading certgen to v0.2 in stable branches (#32998, @giorio94)
  • renovate: run post upgrade tasks on Makefile.values (#33165, @aanm)
  • renovate: separate major.minor.patch for lvh images (#31126, @aanm)
  • renovate: try to group dependency updates on single PR (#30874, @aanm)
  • renovate: update k8s dependencies automatically (#33236, @aanm)
  • Replace option.Config.{Get,Set,Append}Devices by table lookups (#30578, @bimmlerd)
  • Replace pkg/rand by standard library math/rand/v2 (#32542, @tklauser)
  • Replaced declare_tailcall_if with logic in the loader (#30467, @dylandreimerink)
  • Require dead code elimination support (#30814, @dylandreimerink)
  • require large instruction limit (#30896, @lmb)
  • restoration: checkpoint local allocator state, utilize on restoration (#32310, @squeed)
  • Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (#29300, @learnitall)
  • Revert "Fix CiliumEnvoyConfig Nodeport handling" #33040 (#33256, @markpash)
  • Revert "IPAM: Adds AWS IPv6 Prefix Delegation Config Option" (#33394, @christarazi)
  • Revert "Remove hostPort dependency on BPF NodePort" (#32160, @squeed)
  • Revert "renovate: don't separate minor/patch updates of Go modules" (#30210, @tklauser)
  • Revert "workflow: yaml change - change "cosign attach" to "cosign attest"" (#30827, @aanm)
  • route: Also compare ip rule mask for lookupRule (#31700, @jschwinger233)
  • Seamlessly downgrade bpf attachments from tcx to tc (#32228, @ti-mo)
  • secret-sync: improve logging (#31415, @mhofstetter)
  • service: refactor monitoragent nil-checks (#33069, @mhofstetter)
  • signal: remove spare debug logs (#31723, @tklauser)
  • slices: don't modify input slices in test (#30677, @tklauser)
  • Small refactor in datapath/linux/node.go (#28849, @derailed)
  • Some minor but helpful ipcache performance improvements: (#32876, @squeed)
  • srv6: Some cleanups for SRv6 maps (#31960, @YutaroHayakawa)
  • statedb/reflector: Add Kubernetes to StateDB reflector (#30527, @joamaki)
  • statedb: Reconciler utility (#30303, @joamaki)
  • statedb: Add ServeHTTP and Iterate method (#30499, @joamaki)
  • statedb: Derive, Observable and Map (#30246, @joamaki)
  • Store zone information alongside lb{4,6}_backend entries (based on mapping from fixed-zone-mapping and values from EndpointSlices) (#31838, @AwesomePatrol)
  • stream: Add Buffer operator (#30444, @joamaki)
  • stream: Relocate to cilium/stream (#30846, @joamaki)
  • Support extending hubble-relay as a downstream packager (#30357, @chancez)
  • svc: Use in-memory l7 service map to check L7 service (Backport PR #33941, Upstream PR #33879, @sayboras)
  • Test: fix invalid network policies (#32901, @squeed)
  • test: Re-enable few test suites missed as part of recent migration (#32687, @sayboras)
  • test: Replace gocheck with built-in go test (#32297, @sayboras)
  • test: Replace gocheck with built-in go test (#32401, @sayboras)
  • test: Update Go test helpers for renamed cilium-dbg (#32661, @joestringer)
  • toFQDNs: Add documention and metrics for fqdn identities (#33237, @gandro)
  • Transition to NodeMapV2 which now includes SPI in its map values. (#31431, @ldelossa)
  • Typo fix in the docs (#30407, @nvibert)
  • Unconditionally add NodeInternalIPs to the allowed IPs for WireGuard peers (#30975, @giorio94)
  • Update AUTHORS (#29905, @joestringer)
  • Update CEPS watchdog bpf program loaded logger (#31936, @derailed)
  • update cilium/certgen to v0.1.11 (#31863, @rolinh)
  • Update CiliumEnvoyConfig log for headless Services (Backport PR #33846, Upstream PR #33628, @youngnick)
  • Update hint links of golangci-lint. (#33158, @renyunkang)
  • update list of SIGs (#32477, @katiestruthers)
  • Update module health report for cilium status CLI (#30429, @derailed)
  • update readme with 1.16.0-pre.0 (#31128, @aanm)
  • Update readme with v1.15.0-rc.1 (#30279, @aanm)
  • Update USERS.md - add Gcore info on supporting Cilium (#31763, @rzdebskiy)
  • Update XDP drivers support list in BPF docs (#30658, @janvi01)
  • updated docs to reflect Envoy as a DS option (#29518, @nvibert)
  • Updating Rancher Desktop Install instructions (#29911, @divya-mohan0209)
  • upgrade-notes: add information about kvstoremesh and external workloads (#33695, @marseel)
  • Use ebpf.PossibleCPU to determine number of possible CPUs (#32323, @tklauser)
  • Use Resource[T] to implement CEP and CES watchers (#29249, @pippolo84)
  • Use Resource[T] to implement CiliumNode watcher (#29222, @pippolo84)
  • USERS.md: Add Santa Claus to the list of users (#30083, @qmonnet)
  • USERS.md: Add Sealos to the list of users (#30369, @yangchuansheng)
  • users.md: sphere doesn't exist anymore, 👋 datadog (#29927, @mvisonneau)
  • v1.16 stable branch preparation (#33453, @aanm)
  • vendor: pin StateDB to version v0.1.0 (#33186, @joamaki)
  • Wait for CEC and CCEC resources before restoring endpoints. (#32981, @jrajahalme)
  • wireguard: minor improvements for to-wireguard program (Backport PR #33804, Upstream PR #33764, @julianwiedmann)
  • WireGuard: remove cleanup for obsolete IP rules (#31874, @julianwiedmann)
  • workflow: yaml change - change "cosign attach" to "cosign attest" (#30823, @umesh3034)
  • xds: Move MockStream to stream_test.go (#30943, @sayboras)