date: | 2018-04-01 |
---|---|
commit: | f1d4144ddb62003ccf58e016c523f323ad82c3a1 |
- envoy: Make 403 message configurable. (3430, @jrajahalme)
- Add support label-dependent L4 egress policy (3372, @ianvernon)
- Fix entity dependent L4 enforcement (3451, @tgraf)
- cli: Fix cilium bpf policy get (3446, @tgraf)
- Fix CIDR ingress lookup (3406, @joestringer)
- xds: Handle NACKs of initial versions of resources (3405, @rlenglet)
- datapath: fix egress to world entity traffic, add e2e test (3386, @ianvernon)
- bug: Fix panic in health server logs if /healthz didn't respond before checking status (3378, @nebril)
- pkg/policy: remove fromEntities and toEntities from rule type (3375, @ianvernon)
- Fix IPv4 CIDR lookup on older kernels (3366, @joestringer)
- Fix egress CIDR policy enforcement (3348, @tgraf)
- envoy: Fix concurrency issues in Cilium xDS server (3341, @rlenglet)
- Fix bug where policies associated with stale identities remain in BPF policy maps, which could lead to "Argument list too long" errors while regenerating endpoints (3321, @joestringer)
- Update CI and docs : kafka zookeeper connection timeout to 20 sec (3308, @manalibhutiyani)
- Reject CiliumNetworkPolicy rules which do not have EndpointSelector field (3275, @ianvernon)
- Envoy: delete proxymap on connection close (3271, @jrajahalme)
- Fix nested cmdref links in documentation (3265, @joestringer)
- completion: Fix race condition that can cause panic (3256, @rlenglet)
- Additional NetworkPolicy tests and egress wildcard fix (3246, @tgraf)
- Add timeout for getting etcd session (3228, @nebril)
- conntrack: Cleanup egress entries and distinguish redirects per endpoint (3221, @rlenglet)
- Silence warnings during endpoint restore (3216, @tgraf)
- Fix MTU connectivity issue with external services (3205, @joestringer)
- endpoint: Don't fail with fatal on l4 policy application (3199, @tgraf)
- Add new Kafka Role to the docs (3186, @manalibhutiyani)
- Fix log records for Kafka responses (3127, @tgraf)
- Refactor /endpoint/{id}/config for API 1.0 stabilit (3448, @tgraf)
- envoy: Add host identity (nphds) gRPC client (3407, @jrajahalme)
- Increase capacity of BPF maps (3391, @tgraf)
- daemon: Merge Envoy logs with cilium logs by default. (3364, @jrajahalme)
- docs: Fix the Kafka policy to use the new role in the GSG (3350, @manalibhutiyani)
- CI / GSG : make Kafka service headless (3320, @manalibhutiyani)
- Use alpine as base image for Docs container (3301, @iamShantanu101)
- Update kafka zookeeper session timeout to 20 sec in CI tests and docs (3298, @manalibhutiyani)
- Support access log from sidecar and per-endpoint redirect stats (3278, @rlenglet)
- Improve sanity checking in endpoint PATCH API (3274, @joestringer)
- Update Kafka GSG policy and docs to use the new "roles" (3269, @manalibhutiyani)
- maps: allow for migration when map properties change (3267, @borkmann)
- bpf: Retire CT entries quickly for unreplied connections (3238, @joestringer)
- CMD: Add json output on endpoint config (3234, @eloycoto)
- Plumb the contents of the ip-identity cache to a BPF map for lookup in the datapath. (3037, @ianvernon)
date: | 2018-03-19 |
---|---|
commit: | bb11ad1a15907feb9304f55a26a95bed77291f1d |
- Bump kubernetes minimal version supported to 1.7 (3102, @aanm)
- Add Kafka roles to simplify policy specification language (2997, @manalibhutiyani)
- Add support for label-based policies on egress (2878, @ianvernon)
- Add mapping of endpoint IPs to security identities in the key-value store. Watch the key-value store for updates and cache them locally per agent. (2875_, @ianvernon)
- Cilium exports CiliumEndpoint objects to kubernetes clusters. (2772, @raybejjani)
- pkg/ipcache: check if event type is EventTypeListDone before unmarshal of value (3193, @ianvernon)
- proxy: envoy: use url.Parse() to generate URL field (3188, @tgraf)
- Fix bug where IPv6 proxy map entries were never garbage collected (3181, @joestringer)
- Log failure to insert into proxymap as its own monitor drop log
- Lower timeout for bpf proxy map entries (now 5 minutes)
- Kafka CI: Add a WaitKafkaBroker to wait for Kafka broker to be up before produce/consume (3156, @manalibhutiyani)
- GinkgoRuntime CI: Avoid possible race between Kafka consume and produce (3153, @manalibhutiyani)
- Documentation: Fix generated links when documentation is built from tags (3128, @tgraf)
- create new identity when endpoint labels change and re assign identity based on all endpoint labels when restoring (3104, @aanm)
- Fix cilium status of k8s CRD watcher when unable to set up k8s client (3103, @aanm)
- examples/mesos: Change ubuntu VB to be correct version (3094, @jMuzsik)
- cilium status: Fix exit code when components are disabled (3069, @tgraf)
- Fix L4-only policy enforcement on ingress without fromEndpoints selector (2992, @joestringer)
- Add compatibility for kubernetes 1.11 (2966, @aanm)
- Remove proxymap entry after closing connection (3190, @tgraf)
- examples: Provide simple etcd standalone deployment example (3167, @tgraf)
- Report policy revision implemented by the proxy in Endpoint model (3151, @joestringer)
- Ginkgo: Add a option to run test in different vms (3120, @eloycoto)
- Support a larger number of CIDR prefixes when running on older kernels. Now limited by the number of unique prefix lengths in the policies for an endpoint, which should be less than forty. (3119, @joestringer)
- Only expose cilium-health API over unix socket by default (3096, @joestringer)
- Reject policies that contain rules with more than one L3 match in a single rule (3015, @joestringer)
date: | 2018-03-08 |
---|---|
commit: | 9412a28332cd0d7afe489f6efd37edc8668f3a81 |
- add "update" verb for customresourcedefinitions in cilium DaemonSet spec file (3052, @aanm)
- bpf: Move calls map to temporary location and remove after filter replacement (3049, @tgraf)
- bpf: Remove policy maps of programs loaded in init.sh (3042, @tgraf)
- agent: Fix manual endpoint regeneration (3040, @tgraf)
- Fix cilium CRD update in case schema validation changes (3029, @aanm)
- examples/getting-started: Fix failure to install docker (3020, @tgraf)
- bpf: Retry opening map after initial error (3018, @tgraf)
- consul: Report modified keys even if previously not known (3013, @tgraf)
- Restore error behaviour of endpoint config updates (3054, @ianvernon)
- Delete obsolete cilium-envoy.log on startup (3047, @manalibhutiyani)
- Introduce DebugLB option in endpoint config (3036, @joestringer)
- Support log rotation for envoy log (3034, @manalibhutiyani)
date: | 2018-03-02 |
---|---|
commit: | 5e90ac8271773a8d4cceca8b61511062489e845d |
- Envoy: add NACK processing (2991 @jrajahalme)
- envoy: Use downstream HTTP protocol for upstream connections. (2970 @jrajahalme)
- Removed action field from BPF policy map entries (2918 @joestringer)
date: | 2018-02-27 |
---|---|
commit: | 0c269fc0212ce789c28e068137c6a963411e6df4 |
- Fix BPF policy map specification inconsistency between BPF programs (2953 @joestringer)
- k8s: Do not attempt to sync headless services to datapath (2937 @tgraf)
- identity cache: Support looking up reserved identities (2922 @tgraf)
- Fix IPv4 L4 egress policy enforcement with service port mapping (2912 @joestringer)
- Fix kubernetes default deny policy for kubernetes 1.7 (2887 @aanm)
- Log Kafka responses (2881 @tgraf)
- Several fixes to support long-lived persistent connections (2855 @tgraf)
- Clean endpoint BPF map on daemon start (2814 @mrostecki)
- Add documentation on how to retrieve overall health of cluster (2944 @tgraf)
- monitor: Introduce channel to buffer notifications and listeners (2933 @tgraf)
- bpf: Warn if another program is using a VXLAN device (2929 @tgraf)
- Make Kafka K8s GSG CI tests work on multinode setup (2926 @manalibhutiyani)
- Add proxy status to cilium status (2894 @tgraf)
- contrib: Add script to run cilium monitor on all k8s nodes (2867 @tgraf)
- Update example cilium-ds.yaml files to support rolling updates. (2865 @ashwinp)
- Add cluster health summary to cilium status (2858 @joestringer)
- Consistently use -o json as the CLI arguments for printing JSON output across all commands that support JSON output (2852 @joestringer)
- Simplify output of cilium status by default, add new --verbose, --brief options (2821 @joestringer)
- Ginkgo : Support K8s CI Coverage for Kafka GSG (2806 @manalibhutiyani)
date: | 2018-02-15 |
---|---|
commit: | 95a2c8aeae18c2c62e1f969e02dff15913cdf267 |
- api: Introduce & expose endpoint controller statuses (2720, @tgraf)
- More scalable kvstore interaction layer (2708, @tgraf)
- Add agent notifications & access log records to monitor (2667, @tgraf)
- Remove oxyproxy and make Envoy the default proxy (2625, @jrajahalme)
- New controller pattern for async operations that can fail (2597, @tgraf)
- Add cilium-health endpoints for datapath connectivity probing (2315, @joestringer)
- Avoid concurrent access of rand.Rand (2823, @tgraf)
- kafka: Use policy identity cache to lookup identity for L3 dependant rules (2813, @manalibhutiyani)
- envoy: Set source identity correctly in access log. (2807, @jrajahalme)
- replaced sysctl invocation with echo redirects (2789, @aanm)
- Set up the k8s watchers based on the kube-apiserver version 2731 (#2735_, @aanm)
- bpf: Use upper 16 bits of mark for identity (2719, @tgraf)
- bpf: Generate BPF header in order after generating policy (2718, @tgraf)
- Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional. (2699, @ianvernon)
- Gracefully handle when these objects are nil when we are parsing NetworkPolicy.
- Enforce policy update immediately on ongoing connections 2569 #2408 (#2684_, @aanm)
- envoy: fix rule regex matching by host (2649, @aanm)
- Kafka: Correctly check msgSize in ReadResp before discarding. (2637, @manalibhutiyani)
- Fix envoy deadlock after first crash (2633, @aanm)
- kafka: Reject requests on empty rule set (2619, @tgraf)
- CNP CRD schema versioning (2614, @nebril)
- Fix race while updating L7 proxy redirect in L4PolicyMap (2607, @joestringer)
- Don't allow API users to modify reserved labels for endpoints. (2595, @joestringer)
date: | 2018-01-18 |
---|---|
commit: | nil |
- Multi stage Docker builds to use prebuilt Envoy dependencies. (2452, @jrajahalme)
- clusterdebug tool to help identify the most commonly encountered (2348, @ashwinp)
- Document how pull-request builds work with Cilium's Jenkins setup (2521, @ianvernon)
- cli: Add "cilium bpf proxy list" command (2504, @mrostecki)
- Document multi node connectivity troubleshooting (2499, @tgraf)
- Added option to allow running cilium-agent on a node with no container runtime (2490, @aanm)
- cli: Add JSON formatting in "cilium config" (2489, @mrostecki)
- Update version cmd output to json (2453, @stevenceuppens)
- Envoy: Reflect cilium log level to Envoy. (2436, @jrajahalme)
- Fix Ginkgo Kafka tests to initialize config for policy enforcement to default (2432, @manalibhutiyani)
- Use version 2.7 of developer box, which contains commonly-used Docker images for tests pre-packaged (2404, @ianvernon)
- monitor: add gops (2393, @scanf)
- Tl/fix rpm package build (2386, @tonylambiris)
- Reduce the readinessProbe delay to mark the pod as ready earlier (2377, @tgraf)
- Correctly report destination identity in datapath traces for packets to host, world, and cluster (2359, @manalibhutiyani)
- Allow for empty endpoint selector. This enables defining policy which applies to all endpoints. (2358, @tgraf)
- docs: Cluster-wide debugging tool documentation (2356, @ashwinp)
- Add CRD validation for CNP in kubernetes (2304, @aanm)
- Use DNS names in getting started guides (2254, @techcet)
- use cilium/connectivity-container in nightly tests (2247, @ianvernon)
- fail all stages in build if any stage fails in Jenkins (2246, @ianvernon)
- Enabled policy enforcement on cilium network policy from any namespace (2235, @aanm)
- agent: Increase timeout when executing commands (2512, @tgraf)
- Fix too small timeout causing containers not to show up as endpoints under heavy system load (2508, @tgraf)
- Correct a bug that rejected IPv4 backend headless services from k8s (2502, @raybejjani)
- Endpoint: Fix panic when trying to delete on restore. (2478, @eloycoto)
- Fix an issue where cilium would crash if two endpoint disconnect endpoints for the same endpoint occurred in quick succession. (2396, @joestringer)
- cni: Create destination directory if it does not exist (2382, @tgraf)
- Allow for empty endpoint selector. This enables defining policy which applies to all endpoints. (2358, @tgraf)
- Fix nil pointer when v6 CIDR was not set by kubernetes. (2355, @aanm)
- Fix for allowing Cilium to run with BPF interpreter instead of JIT when JIT is compiled out. (2350, @borkmann)
- Fix bug which was causing incorrect policy enforcement after restarting cilium (2340, @aanm)
- Fix nil pointer access when unable to reach the KVStore (2325, @aanm)
- Fix stuck "restoring" state while restoring the endpoints 2167 (2324, @aanm_)
- Enable multiple policies with the same name but on different namespaces to be enforced 1938 (2313, @aanm_)
- Fix logging setup for submodules (2299, @aanm)
- Fix cilium bpf policy list to print l4 ports (2271, @joestringer)
- Kafka: producing messages denied by policy crashes Cilium agent (2265, @manalibhutiyani)
- Fix bug when endpoint does not get out of WaitingForIdentity state (2237, @tgraf)
- Enforcing policy after loading policy when endpoints where in "default" policy enforcement mode. (2219, @aanm)
date: | 2017-12-04 |
---|---|
commit: | nil |
- Tech preview of Envoy as Cilium HTTP proxy, adding HTTP2 and gRPC support. (1580, @jrajahalme)
- Introduce "cilium-health", a new tool for investigating cluster connectivity issues. (2052, @joestringer)
- cilium-agent collects and serves prometheus metrics (2127, @raybejjani)
- bugtool and debuginfo (2044, @scanf)
- Add nightly test infrastructure (2212, @ianvernon)
- Separate ingress and egress default deny modes with better control (2156, @manalibhutiyani)
- k8s: add support for IPBlock and Egress Rules with IPBlock (2096, @ianvernon)
- Kafka: Support access logging for Kafka requests/responses (1870, @manalibhutiyani)
- Added cilium endpoint log command that returns the endpoint's status log (2060, @raybejjani)
- Routes connecting the host to the Cilium IP space is now implemented as individual route for each node in the cluster. This allows to assign IPs which are part of the cluster CIDR to endpoints outside of the cluster as long as the IPs are never used as node CIDRs. (1888, @tgraf)
- Standardized structured logging (1801, 1828, 1836, 1826, 1833, 1834, 1827, 1829, 1832, 1835, @raybejjani_)
- Fix L4Filter JSON marshalling (1871, @joestringer)
- Fix swapped src dst IPs on Conntrack related messages on the monitor's output (2228, @aanm)
- Fix output of cilium endpoint list for endpoints using multiple labels. (2225, @aanm)
- bpf: fix verifier error in dameon debug mode with newer LLVM versions (2181, @borkmann)
- pkg/kvstore: fixed race in internal mutex map (2179, @aanm)
- Proxy ingress policy fix for LLVM 4.0 and greater. Resolves return code 500 'Internal Error' seen with some policies and traffic patterns. (2162, @jrfastab)
- Printing patch clang and kernel patch versions when starting cilium. (2137, @aanm)
- Clean up Connection Tracking entries when a new policy no longer allows it. 1667, 1823 (#2136_, @aanm_)
- k8s: fix data race in d.loadBalancer.K8sEndpoints (2129, @aanm)
- Add internal queue for k8s watcher updates 1966 (2123, @aanm_)
- k8s: fix missing deep copy when updating status (2115, @aanm)
- Accept traffic to Cilium in FORWARD chain (2112, @tgraf)
- Fix SNAT issue in combination with kube-proxy, when masquerade rule installed by kube-proxy takes precedence over rule installed by Cilium. (2108, @tgraf)
- Fixed infinite loop when importing CNP to kubernetes with an empty kafka version (2090, @aanm)
- Mark cilium pod as CriticalPod in the DaemonSet (2024, @manalibhutiyani)
- proxy: Provide identities { host | world | cluster } in SourceEndpoint (2022, @manalibhutiyani)
- In kubernetes mode, fixed bug that was allowing cilium to start up even if the kubernetes api-server was not reachable 1973 (2014, @aanm_)
- Support policy with EndpointSelector missing (1987, @raybejjani)
- Implemented deep copy functionality when receiving events from kubernetes watcher 1885 (1986, @aanm_)
- pkg/labels: Filter out pod-template-generation label (1979, @michi-covalent)
- bpf: Double timeout on building BPF programs (1949, @raybejjani)
- policy: add PolicyTrace msg to AllowsRLocked() when L4 policies not evaluated (1939, @gnahckire)
- Handle Kafka responses correctly (1924, @manalibhutiyani)
- bpf: Avoid excessive proxymap updates (2210, @joestringer)
- cilium-agent correctly restarts listening for CiliumNetworkPolicy changes when it sees decoding errors (1899, @raybejjani)
- Automatically generate command reference of agent (2223, @tgraf)
- Access log rotation support with backup compression and automatic deletion support. (1995, @manalibhutiyani)
- kubernetes examples support prometheus metrics scraping (along with sample prometheus configuration) (2192, @raybejjani)
- Start serving the cilium API almost immediately while restoring endpoints on the background. (2116, @aanm)
- Added cilium endpoint healthz command that returns a summary of the endpoint's health (2099, @raybejjani)
- Documentation: add a CLI reference section (2079, @scanf)
- Documentation: add support for tabs via plugin (2078, @scanf)
- Feature Request: Add option to disable loadbalancing (2048, @manalibhutiyani)
- monitor: reduce overhead (2037, @scanf)
- Use auto-generated client to communicate with kube-apiserver (2007, @aanm)
- Documented kubernetes API Group usage in docs (1989, @raybejjani)
- doc: Add Kafka policy documentation (1970, @tgraf)
- Add Pull request and issue template (1951, @tgraf)
- Update Vagrant images to ubuntu 17.04 for the getting started guides (1917, @aanm)
- Add CONTRIBUTING.md (1898, @tgraf)
- Introduction of release notes gathering script in use by the Kubernetes project (1893, @tgraf)
- node: Install individual per node routes (1888, @tgraf)
- Add CLI for dumping BPF endpoint map (lxcmap) (1854, @joestringer)
- add command for resetting agent state (1678, @scanf)
- Improved CI testing infrastructure and fixed several test flakes (1848, 1865)
- Foundation of new Ginkgo build-driven-development framework for CI (1733)
date: | 2017-10-26 |
---|---|
commit: | nil |
- Various bugfixes around mounting of the BPF filesystem (1379, 1473)
- Fixed issue where L4 policy trace would incorrectly determine that traffic would be rejected when the L4 policy specifies the protocol (1587)
- Provided workaround for minikube when running in unencrypted mode (1492)
- Synchronization of compilation of base and endpoint programs (1440)
- Provide backwards compatibility to iproute2-4.8.0 (1474)
- Multiple memory leak fixes in cgo usage (1508)
- Various fixes around load-balancer synchronization (1352)
- Improved readability of BPF compatibility check on startup (1505, 1548)
- Fixed maintainer label in Dockerfile (1513)
- Correctly set the transport protocol in proxy flows (1511)
- Fix group ownership of monitoring unix domain socket to allow running
cilium monitor
without root privileges if correct group associated is provided (1532) - Fixed quoting of API socket path in error message (1531)
- Fixed a bug in the k8s informer/watcher where a parse error in client-go would never recover (1545)
- Use an IPv6 site local address as the IPv6 host address if no IPv6 address is configured on the node. This prevents from accidentally enabling unwanted IPv6 DNS resolution on the system. (1555)
- Configure automatically generated host IPs as link scope to avoid them being selected as source IP for traffic exiting the node (1575, 1614)
- Fixed a bug where endpoint identities could run out of sync with the kvstore (1558)
- Fixed a bug in the ability to perform policy simulation for L4 flows (1569)
- Masquerade traffic from host into local cilium endpoints with the ExternalIP to allow for such packets to be routed other nodes (1570)
- Fixed policy trace with tcp/udp protocol filter (1596, 1599)
- Bail out gracefully if running compatibility mode with limited CIDR filter capacity (1507)
- Fixed incorrect double backslash in CoreOS unit file example (1605)
- Fixed concurrent access issue of bytes.Buffer use (1623)
- Made node monitor thread safe (1622)
- Use specific version of cilium images instead of stable in getting started guide (1642)
- Fix to guarantee to always handle events for a particular container in order (1677)
- Fix endpoint build deadlock (1777)
- containerd watcher resyncs on missed events better (1691)
- Free up allocated memory for state on poll false positives (1821)
- Fix deadlock when running
cilium endpoint list -l <label>
(1858) - Fall back to host networking on overlay non-match (1847)
- Initial code to start supporting Kafka policy enforcement (1634, 1757)
- New
json
andjsonpath
output modes for the cilium CLI command. (1484) - New simplified policy model to express connectivity to special entities "world" (outside of the cluster) and "host" (system on which endpoint is running on) (1651, 1665)
- XDP based early filtering of hostile source IP prefixes as well as enforcement of destination IPs to correspond to a known local endpoint and to host IPs. (1675)
- L7 logging records now include as much information about the identity of the source and destination endpoint as possible. This includes the labels of the identity if known to the local agent as well as additional information about the identity of the destination when outside of the cluster (1550, 1615)
- Much reduced time required to rebuild endpoint programs (1638)
- Initial support to allow running multiple user space proxies (1661)
- New
--auto-ipv6-node-routes
agent flag which automatically populates IPv6 routes for all other nodes in the cluster. This provides a minimalistic routing control plane for IPv6 native networks (1479) - Support L3-dependent L4 policies on ingress (1599, 1496, 1217, 1064, 789)
- Add bash code completion (1597, 1643)
- New RPM build process (1528)
- Default policy enforcement behavior for non-Kubernetes environments is now the same as for Kubernetes environments; traffic is allowed by default until a rule selects an endpoint (1464)
- The default policy enforcement logic is now in line with Kubernetes behaviour to avoid confusion (1464)
- Extended
cilium identity list
andcilium identity get
to provide a cluster wide picture of allocated security identities (1462, 1568) - New improved datapath tracing functionality with better indication of forwarding decision (1466, 1490, 1512)
- Tested with Kubernetes 1.8 release
- New improved DaemonSet file which automatically derives configuration on how to access the Kubernetes API server without requiring the user to specify a kubeconfig file (1683, 1381)
- Support specifying parameters such as etcd endpoints as ConfigMap (1683)
- Add new fields to Ingress and Egress rules for CiliumNetworkPolicy called FromCIDR and ToCIDR. These are lists of CIDR prefixes to whitelist along with a list of CIDR prefixes for each CIDR prefix to blacklist. (1663)
- Improved status section of CiliumNetworkPolicy rules (1574)
- Improved logic involved to Kubernetes node annotations with IPv6 pod CIDR (1563)
- Refactor pod annotation logic (1468)
- Give preference to Kubernetes IP allocation (1767)
- Re-wrote CRD client to fix "no kind Status" warning (1817)
- Policy enforcement mode documentation (1464)
- Updated L3 CIDR policy documentation (1663)
- New BPF developer debugging manual (1548)
- Added instructions on kube-proxy installation and integration (1585)
- Added more developer focused documentation (1601)
- Added instructions on how to configure MTU and other parameters in combination with CNI (1612)
- API stability guarantees (1628)
- Make GitHub URLs depend on the current branch (1764)
- Document assurances if Cilium or its dependencies get into a bad state (1713)
- Bump supported minikube version (1816)
- Update policy examples (1837)
- Improved CI testing infrastructure and fixed several test flakes (1632, 1624, 1455, 1441, 1435, 1542, 1776)
- New builtin deadlock detection for developers. Enable this in Makefile.defs. (1648)
- Add new --pprof flag to serve the pprof API (1646)
- Updated go to 1.9 (1519)
- Updated go dependencies (1519, 1535)
- go-openapi, go-swagger (0.12.0),
- Update Sirupsen/logrus to sirupsen/logrus (1573)
- Fixed several BPF lint warnings (1666)
- Silence errors in 'clean-tags' Make target (1793)
date: | 2017-09-07 |
---|---|
commit: | 6725f0c4bed2b499ca5651d7ae1746908e018afc |
- Fixed an issue where service IDs were leaked in etcd/consul. Services have been moved to a new prefix in the kvstore. Old, leaked service IDs are automatically removed when a fixed cilium-agent is started. (1182, 1195)
- Fixed accuracy of policy revision field. The policy revision field was bumped after policy for an endpoint was recalculated. The policy revision field is now bumped after complete synchronization with the datapath has occurred (1196)
- Fixed graceful connection closure where final ACK after FIN+ACK was dropped (1186)
- Fixed several bugs in endpoint restore functionality where endpoints were not correctly recovered after agent restart (1140, 1242, 1330, 1338)
- Fixed unnecessary consumer map deletion attempt which resulted in confusion due to warning log messages (1206)
- Fixed stateful connection recognition of reply|related packets from an endpoint to the host. This resulted in reply packets getting dropped if the path from endpoint to host was restricted by policy but a connection from the host to the endpoint was permitted (1211)
- Fixed debian packages build process (1153)
- Fixed a typo in the getting started guide examples section (1213)
- Fixed Kubernetes CI test to use locally built container image (1188)
- Fixed logic which picks up Kubernetes log files on failed CI testruns (1169)
- Agent now fails during bootup if kvstore cannot be reached (1266)
- Fixed the L7 redirection logic to only report the new PolicyRevision after the proxy has started listening on the port. This resolves a race condition when deploying both policy and workload at the same time and the proxy is not up yet. (1286)
- Fixed a bug in cilium monitor memory allocation with regard to handling data from the perf ring buffer (1304)
- Correctly ignore policy resources with an empty ruleset (1296, 1297)
- Ignore the controller-revision-hash label to derive security identity (1320)
- Removed ip: field name for CIDR policy rules, CIDR rules are now a slice of strings describing prefixes (1322)
- Ignore Kubernetes annotations done by cilium which show up as labels on the container when deriving security identity (1338)
- Increased the ReadTimeout of the HTTP proxy to 120 seconds (1349)
- Fixed use of node address when running with IPv4 disabled (1260)
- Several fixes around when an endpoint should go into policy enforcement for Kubernetes and non-Kubernetes environments (1328)
- When creating the Kubernetes client, wait for Kubernetes cluster to be in ready state (1350)
- Fixed drop notifications to include as much metadata as possible (1427, 1444)
- Fixed a bug where the compilation of the base programs and writing of header files could occur in parallel with compilation of programs for endpoints which could lead to temporary compilation errors (1440)
- Fail gracefully when configuring more than the maximum supported L4 ports in the policy (1406)
- Fixed a bug where not all policy rules were JSON validated before sending it to the agent (1406)
- Fixed a bug in the SHA256 calculation (1454)
- Fixed the datapath to differentiate the packets from a regular local process and packets originating from the proxy (previously redirected to by the datapath). (1459)
- The monitor now supports multiple readers, you can run cilium monitor multiple times in parallel. All monitors will see all events. (1288)
- cilium policy trace can now trace policy decisions based on Kubernetes pod names, security identities, endpoint IDs and Kubernetes YAML resources [Deployments, ReplicaSets, ReplicationControllers, Pods ](1124)
- It is now possible to reach the local host on IPs which are within the overall cluster prefix (1394)
- The cilium identity get CLI and API can now resolve global identities with the help of the kvstore (1313)
- Use new probe functionality of LLVM to automatically use new BPF compare instructions if supported by both LLVM and the kernel (1356)
- CIDR network policy is now visible in cilium endpoint get (1328)
- Set minimum amount of compilation workers to 4 (1227)
- Removed local backend (1235)
- Reduced use of cgo in in bpf packages (1275)
- Do sparse checks during BPF compilation (1175)
- New cilium bpf lb list command (1317)
- New optimized kvstore interaction code (1365, 1397, 1370)
- The access log now includes a SHA hash for each reported label to allow for validation with the kvstore (1425)
- Improved CI testing infrastructure (1262, 1207, 1380, 1373, 1390, 1385, 1410)
- Upgraded to kubeadm 1.7.0 (1179)
- Multi networking documentation (1244)
- Documentation of the policy specification (1344)
- New improved top level structuring of the sections (1344)
- Example for etcd configuration file (1268)
- Tutorial on how to use cilium monitor for troubleshooting (1451)
- Added support for Custom Resource Definition (CRD). Be aware that parallel usage of CRD and Third party Resources (TPR) leads to unexpected behaviour. See cilium.link/migrate-tpr for more details. Upgrade your CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them at cilium.io/v1 to stay on TPR. (1169, 1219)
- The CiliumNetworkPolicy resource now has a status field which contains the status of each node enforcing the policy (1354)
- Added RBAC rules for v1/NetworkPolicy (1188)
- Upgraded Kubernetes example to 1.7.0 (1180)
- Delay pod healthcheck for 180 seconds to account for endpoint restore (1271)
- Added tolerations to DaemonSet to schedule Cilium onto master nodes as well (1426)
date: | 2017-07-14 |
---|---|
commit: | 270ed8fc16184d2558b0da2a0c626567aca1efd9 |
- CIDR based filter for ingress and egress (886)
- New simplified encapsulation mode. No longer requires any network configuration, the IP of the VM/host is automatically used as tunnel endpoint across the mesh. There is no longer a need to configure any routes for the container prefixes in the cloud network or the underlying fabric. The node prefix to node ip mapping is automatically derived from the Kubernetes PodCIDR (1020, 1013, 1039)
- When accessing external networks, outgoing traffic is automatically masqueraded without requiring to install a masquerade rule manually. This behaviour can be disabled with --masquerade=false (1020)
- Support to handle arbitrary IPv4 cluster prefix sizes. This was previously required to be a /8 prefix. It can now be specified with --ipv4-cluster-cidr-mask-size (1094)
- Cilium monitor has been enabled with a neat one-liner mode which is on by default. It is similar to tcpdump but provides high level metadata such as container IDs, endpoint IDs, security identities (1112)
- The agent policy repository now includes a revision which is returned after each change of the policy. A new command cilium policy wait and be used to wait until all endpoints have been updated to enforce the new policy revision (1115)
cilium endpoint get
now supportsget -l <set of labels>
andget <endpointID | pod-name:namespace:k8s-pod | container-name:name>
(1139)- Improve label source concept. Users can now match the source of a particular label (e.g. k8s:app=foo, container:app=foo) or match on any source (e.g. app=foo, any:app=foo) (905)
- CoreOS installation guide
- Drop support for extensions/v1beta1/NetworkPolicy and support networking.k8s.io/v1/NetworkPolicy (1150)
- Allow fine grained inter namespace policy control. It is now possible to specify policy rules which allow individual pods from another namespace to access a pod (1103)
- The CiliumNetworkPolicy ThirdPartyResource now supports carrying a list of rules to update atomically (1055)
- The example DaemonSet now schedules Cilium pods onto nodes which are not ready to allow deploying Cilium on a cluster with a non functional CNI configuration. The Cilium pod will automatically configure CNI properly. (1075)
- Automatically derive node address prefix from Kubernetes (PodCIDR) (1026)
- Automatically install CNI loopback driver if required (860)
- Do not overwrite existing 10-cilium.conf CNI configuration if it already exists (871)
- Full RBAC support (873, 875)
- Correctly implement ClusterIP portion of k8s service types LoadBalancer and NodePort (1098)
- The cilium and consul pod in the example DaemonSet now have health checks (925, 938)
- Correctly ignore headless services without a warning in the log (932)
- Derive node-name automatically (1090)
- Labels are now attached to endpoints instead of containers. This will allow to support labels attached to things other than containers (1121)
- Added Kubernetes getting started guide to CI test suite (894)
- L7 stress tests (1108)
- Automatically verify links documentation (896)
- Kubernetes multi node testing environment (980)
- Massively reduced build&test time (982)
- Gather logfiles on failure (1017, 1045)
- Guarantee isolation in between VMs for separate PRs CI runs (1075)
- Cilium load balancer can now encapsulate packets and carry the service-ID in the packet (912)
- The filtering mechanism which decides which labels should be used for security identity determination now supports regular expressions (918)
- Extended logging information of L7 requests in proxy (964, 973, 991, 998, 1002)
- Improved rendering of cilium service list (934)
- Upgraded to etcd 3.2.1 (959)
- More factoring out of agent into separate packages (975, 985)
- Reduced cgo usage (1003, 1018)
- Improve logging of BPF generation errors (990)
- cilium policy trace now supports verbose output (1080)
- Include
bpf-map
tool in cilium container image (1088) - Carrying of security identities across the proxy (1114)
- Fixed use of IPv6 node addresses which are already configured on the systme (#819)
- Enforce minimal etcd and consul versions (911)
- Connection tracking entries now get automatically cleaned if new policy no longer allows the connection (794)
- Report status message in
cilium status
if a component is in error state (874) - Create L7 access log file if it does not exist (881)
- Report kernel/clang versions on compilation issues (888)
- Check that cilium binary is installed when agent starts up (892)
- Fix checksum error in service + proxy redirection (1011)
- Stricter connection tracking connection creation criteria (1027)
- Cleanup of leftover veth if endpoint setup failed midway (1122)
- Remove stale ids also from policy map (1135)
date: | 2017-05-23 |
---|---|
commit: | 1bfb6303f6fba25c4d22fbe4b7c35450055296b6 |
- Core
- New simplified policy language (670)
- Option to choose between a global (default) and per endpoint connection tracking table (659)
- Parallel endpoint BPF program & policy builds (424, 587)
- Fluentd logging integration (758)
- IPv6 proxy redirection support (818)
- Transparent ingress proxy redirection (773)
- Consider all labels for identity except dynamic k8s state labels (849)
- Reduced size of cilium binary from 27M to 17M (554)
- Add filtering support to
cilium monitor
(673) - Allow rule now supports matching multiple labels (638)
- Separate runtime state and template directory for security reasons (537)
- Ability to specify L4 destination port in policy trace (650)
- Improved log readability (499)
- Optimized connection tracking map updates per packet (829)
- New
--kvstore
and--kvstore-opt
flag (Replaces--consul, --etcd, --local
flags) (767) - Configurable clang path (620)
- Updated CNI to 5.2.0 (529)
- Updated Golang to 1.8.3 (853)
- Bump k8s client to v3.0.0-beta.0 (646)
- Kubernetes
- Support L4 filtering with v1beta1.NetworkPolicyPort (638)
- ThirdPartyResources support for L3-L7 policies (795, 814)
- Per pod policy enablement based on policy selection (815)
- Support for full LabelSelector (753)
- Option to always allow localhost to reach endpoints (auto on with k8s) (754)
- RBAC ClusterRole, ServiceAccount and bindings (850)
- Scripts to install and uninstall CNI configuration (745)
- Documentation
- Core
- Endpoints are displayed in ascending order (474)
- Warn about insufficient kernel version when starting up (505)
- Work around Docker <17.05 disabling IPv6 in init namespace (544)
- Fixed a connection tracking expiry a bug (828)
- Only generate human readable ASM output if DEBUG is enabled (599)
- Switch from package syscall to x/sys/unix (588)
- Remove tail call map on endpoint leave (736)
- Fixed ICMPv6 to service IP with LB back to own IP (764)
- Respond to ARP also when temporary drop all policy is applied. (724)
- Fixed several BPF resource leakages (634, 684, 732)
- Fixed several L7 parser policy bugs (512)
- Fixed tc call to specify prio and handle for replace (611)
- Fixed off by one in consul connection retries (610)
- Fixed lots of documentation typos
- Fix addition/deletion order when updating endpoint labels (647)
- Graceful exit if lack of privileges (694)
- use same tuple struct for both global and local CT (822)
- bpf/init.sh: More robust deletion of routes. (719)
- lxc endianess & src validation fixes (747)
- Kubernetes
- Correctly handle k8s NetworkPolicy matchLabels (638)
- Allow all sources if []NetworkPolicyPeer is empty or missing (638)
- Fix if k8s API server returns nil label (567)
- Do not error out if k8s node does not have a CIDR assigned (628)
- Only attempt to resolve CIDR from k8s API if client is available (608)
- Log error if invalid k8s NetworkPolicy objects are received (617)