date: | 2017-10-10 |
---|---|
commit: | nil |
- Various bugfixes around mounting of the BPF filesystem (1379, 1473)
- Fixed issue where L4 policy trace would incorrectly determine that traffic would be rejected when the L4 policy specifies the protocol (1587)
- Provided workaround for minikube when running in unencrypted mode (1492)
- Synchronization of compilation of base and endpoint programs (1440)
- Provide backwards compatibility to iproute2-4.8.0 (1474)
- Multiple memory leak fixes in cgo usage (1508)
- Various fixes around load-balancer synchronization (1352)
- Improved readability of BPF compatibility check on startup (1505, 1548)
- Fixed maintainer label in Dockerfile (1513)
- Correctly set the transport protocol in proxy flows (1511)
- Fix group ownership of monitoring unix domain socket to allow running
cilium monitor
without root privileges if correct group associated is provided (1532) - Fixed quoting of API socket path in error message (1531)
- Fixed a bug in the k8s informer/watcher where a parse error in client-go would never recover (1545)
- Use an IPv6 site local address as the IPv6 host address if no IPv6 address is configured on the node. This prevents from accidentally enabling unwanted IPv6 DNS resolution on the system. (1555)
- Configure automatically generated host IPs as link scope to avoid them being selected as source IP for traffic exiting the node (1575, 1614)
- Fixed a bug where endpoint identities could run out of sync with the kvstore (1558)
- Fixed a bug in the ability to perform policy simulation for L4 flows (1569)
- Masquerade traffic from host into local cilium endpoints with the ExternalIP to allow for such packets to be routed other nodes (1570)
- Fixed policy trace with tcp/udp protocol filter (1596, 1599)
- Bail out gracefully if running compatibility mode with limited CIDR filter capacity (1507)
- Fixed incorrect double backslash in CoreOS unit file example (1605)
- Fixed concurrent access issue of bytes.Buffer use (1623)
- Made node monitor thread safe (1622)
- Use specific version of cilium images instead of stable in getting started guide (1642)
- Fix to guarantee to always handle events for a particular container in order (1677)
- Initial code to start supporting Kafka policy enforcement (1634)
- New
json
andjsonpath
output modes for the cilium CLI command. (1484) - New simplified policy model to express connectivity to special entities "world" (outside of the cluster) and "host" (system on which endpoint is running on) (1651, 1665)
- XDP based early filtering of hostile source IP prefixes as well as enforcement of destination IPs to correspond to a known local endpoint and to host IPs. (1675)
- L7 logging records now include as much information about the identity of the source and destination endpoint as possible. This includes the labels of the identity if known to the local agent as well as additional information about the identity of the destination when outside of the cluster (1550, 1615)
- Much reduced time required to rebuild endpoint programs (1638)
- Initial support to allow running multiple user space proxies (1661)
- New
--auto-ipv6-node-routes
agent flag which automatically populates IPv6 routes for all other nodes in the cluster. This provides a minimalistic routing control plane for IPv6 native networks (1479) - Support L3-dependent L4 policies on ingress (1599, 1496, 1217, 1064, 789)
- Add bash code completion (1597, 1643)
- New RPM build process (1528)
- Default policy enforcement behavior for non-Kubernetes environments is now the same as for Kubernetes environments; traffic is allowed by default until a rule selects an endpoint (1464)
- The default policy enforcement logic is now in line with Kubernetes behaviour to avoid confusion (1464)
- Extended
cilium identity list
andcilium identity get
to provide a cluster wide picture of allocated security identities (1462, 1568) - New improved datapath tracing functionality with better indication of forwarding decision (1466, 1490, 1512)
- Tested with Kubernetes 1.8 release
- New improved DaemonSet file which automatically derives configuration on how to access the Kubernetes API server without requiring the user to specify a kubeconfig file (1683, 1381)
- Support specifying parameters such as etcd endpoints as ConfigMap (1683)
- Add new fields to Ingress and Egress rules for CiliumNetworkPolicy called FromCIDR and ToCIDR. These are lists of CIDR prefixes to whitelist along with a list of CIDR prefixes for each CIDR prefix to blacklist. (1663)
- Improved status section of CiliumNetworkPolicy rules (1574)
- Improved logic involved to Kubernetes node annotations with IPv6 pod CIDR (1563)
- Refactor pod annotation logic (1468)
- Policy enforcement mode documentation (1464)
- Updated L3 CIDR policy documentation (1663)
- New BPF developer debugging manual (1548)
- Added instructions on kube-proxy installation and integration (1585)
- Added more developer focused documentation (1601)
- Added instructions on how to configure MTU and other parameters in combination with CNI (1612)
- API stability guarantees (1628)
- Improved CI testing infrastructure and fixed several test flakes (1632, 1624, 1455, 1441, 1435, 1542)
- New builtin deadlock detection for developers. Enable this in Makefile.defs. (1648)
- Add new --pprof flag to serve the pprof API (1646)
- Updated go to 1.9 (1519)
- Updated go dependencies (1519, 1535)
- go-openapi, go-swagger (0.12.0),
- Update Sirupsen/logrus to sirupsen/logrus (1573)
- Fixed several BPF lint warnings (1666)
date: | 2017-09-07 |
---|---|
commit: | 6725f0c4bed2b499ca5651d7ae1746908e018afc |
- Fixed an issue where service IDs were leaked in etcd/consul. Services have been moved to a new prefix in the kvstore. Old, leaked service IDs are automatically removed when a fixed cilium-agent is started. (1182, 1195)
- Fixed accuracy of policy revision field. The policy revision field was bumped after policy for an endpoint was recalculated. The policy revision field is now bumped after complete synchronization with the datapath has occurred (1196)
- Fixed graceful connection closure where final ACK after FIN+ACK was dropped (1186)
- Fixed several bugs in endpoint restore functionality where endpoints were not correctly recovered after agent restart (1140, 1242, 1330, 1338)
- Fixed unnecessary consumer map deletion attempt which resulted in confusion due to warning log messages (1206)
- Fixed stateful connection recognition of reply|related packets from an endpoint to the host. This resulted in reply packets getting dropped if the path from endpoint to host was restricted by policy but a connection from the host to the endpoint was permitted (1211)
- Fixed debian packages build process (1153)
- Fixed a typo in the getting started guide examples section (1213)
- Fixed Kubernetes CI test to use locally built container image (1188)
- Fixed logic which picks up Kubernetes log files on failed CI testruns (1169)
- Agent now fails during bootup if kvstore cannot be reached (1266)
- Fixed the L7 redirection logic to only report the new PolicyRevision after the proxy has started listening on the port. This resolves a race condition when deploying both policy and workload at the same time and the proxy is not up yet. (1286)
- Fixed a bug in cilium monitor memory allocation with regard to handling data from the perf ring buffer (1304)
- Correctly ignore policy resources with an empty ruleset (1296, 1297)
- Ignore the controller-revision-hash label to derive security identity (1320)
- Removed ip: field name for CIDR policy rules, CIDR rules are now a slice of strings describing prefixes (1322)
- Ignore Kubernetes annotations done by cilium which show up as labels on the container when deriving security identity (1338)
- Increased the ReadTimeout of the HTTP proxy to 120 seconds (1349)
- Fixed use of node address when running with IPv4 disabled (1260)
- Several fixes around when an endpoint should go into policy enforcement for Kubernetes and non-Kubernetes environments (1328)
- When creating the Kubernetes client, wait for Kubernetes cluster to be in ready state (1350)
- Fixed drop notifications to include as much metadata as possible (1427, 1444)
- Fixed a bug where the compilation of the base programs and writing of header files could occur in parallel with compilation of programs for endpoints which could lead to temporary compilation errors (1440)
- Fail gracefully when configuring more than the maximum supported L4 ports in the policy (1406)
- Fixed a bug where not all policy rules were JSON validated before sending it to the agent (1406)
- Fixed a bug in the SHA256 calculation (1454)
- Fixed the datapath to differentiate the packets from a regular local process and packets originating from the proxy (previously redirected to by the datapath). (1459)
- The monitor now supports multiple readers, you can run cilium monitor multiple times in parallel. All monitors will see all events. (1288)
- cilium policy trace can now trace policy decisions based on Kubernetes pod names, security identities, endpoint IDs and Kubernetes YAML resources [Deployments, ReplicaSets, ReplicationControllers, Pods ](1124)
- It is now possible to reach the local host on IPs which are within the overall cluster prefix (1394)
- The cilium identity get CLI and API can now resolve global identities with the help of the kvstore (1313)
- Use new probe functionality of LLVM to automatically use new BPF compare instructions if supported by both LLVM and the kernel (1356)
- CIDR network policy is now visible in cilium endpoint get (1328)
- Set minimum amount of compilation workers to 4 (1227)
- Removed local backend (1235)
- Reduced use of cgo in in bpf packages (1275)
- Do sparse checks during BPF compilation (1175)
- New cilium bpf lb list command (1317)
- New optimized kvstore interaction code (1365, 1397, 1370)
- The access log now includes a SHA hash for each reported label to allow for validation with the kvstore (1425)
- Improved CI testing infrastructure (1262, 1207, 1380, 1373, 1390, 1385, 1410)
- Upgraded to kubeadm 1.7.0 (1179)
- Multi networking documentation (1244)
- Documentation of the policy specification (1344)
- New improved top level structuring of the sections (1344)
- Example for etcd configuration file (1268)
- Tutorial on how to use cilium monitor for troubleshooting (1451)
- Added support for Custom Resource Definition (CRD). Be aware that parallel usage of CRD and Third party Resources (TPR) leads to unexpected behaviour. See cilium.link/migrate-tpr for more details. Upgrade your CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them at cilium.io/v1 to stay on TPR. (1169, 1219)
- The CiliumNetworkPolicy resource now has a status field which contains the status of each node enforcing the policy (1354)
- Added RBAC rules for v1/NetworkPolicy (1188)
- Upgraded Kubernetes example to 1.7.0 (1180)
- Delay pod healthcheck for 180 seconds to account for endpoint restore (1271)
- Added tolerations to DaemonSet to schedule Cilium onto master nodes as well (1426)
date: | 2017-07-14 |
---|---|
commit: | 270ed8fc16184d2558b0da2a0c626567aca1efd9 |
- CIDR based filter for ingress and egress (886)
- New simplified encapsulation mode. No longer requires any network configuration, the IP of the VM/host is automatically used as tunnel endpoint across the mesh. There is no longer a need to configure any routes for the container prefixes in the cloud network or the underlying fabric. The node prefix to node ip mapping is automatically derived from the Kubernetes PodCIDR (1020, 1013, 1039)
- When accessing external networks, outgoing traffic is automatically masqueraded without requiring to install a masquerade rule manually. This behaviour can be disabled with --masquerade=false (1020)
- Support to handle arbitrary IPv4 cluster prefix sizes. This was previously required to be a /8 prefix. It can now be specified with --ipv4-cluster-cidr-mask-size (1094)
- Cilium monitor has been enabled with a neat one-liner mode which is on by default. It is similar to tcpdump but provides high level metadata such as container IDs, endpoint IDs, security identities (1112)
- The agent policy repository now includes a revision which is returned after each change of the policy. A new command cilium policy wait and be used to wait until all endpoints have been updated to enforce the new policy revision (1115)
cilium endpoint get
now supportsget -l <set of labels>
andget <endpointID | pod-name:namespace:k8s-pod | container-name:name>
(1139)- Improve label source concept. Users can now match the source of a particular label (e.g. k8s:app=foo, container:app=foo) or match on any source (e.g. app=foo, any:app=foo) (905)
- CoreOS installation guide
- Drop support for extensions/v1beta1/NetworkPolicy and support networking.k8s.io/v1/NetworkPolicy (1150)
- Allow fine grained inter namespace policy control. It is now possible to specify policy rules which allow individual pods from another namespace to access a pod (1103)
- The CiliumNetworkPolicy ThirdPartyResource now supports carrying a list of rules to update atomically (1055)
- The example DaemonSet now schedules Cilium pods onto nodes which are not ready to allow deploying Cilium on a cluster with a non functional CNI configuration. The Cilium pod will automatically configure CNI properly. (1075)
- Automatically derive node address prefix from Kubernetes (PodCIDR) (1026)
- Automatically install CNI loopback driver if required (860)
- Do not overwrite existing 10-cilium.conf CNI configuration if it already exists (871)
- Full RBAC support (873, 875)
- Correctly implement ClusterIP portion of k8s service types LoadBalancer and NodePort (1098)
- The cilium and consul pod in the example DaemonSet now have health checks (925, 938)
- Correctly ignore headless services without a warning in the log (932)
- Derive node-name automatically (1090)
- Labels are now attached to endpoints instead of containers. This will allow to support labels attached to things other than containers (1121)
- Added Kubernetes getting started guide to CI test suite (894)
- L7 stress tests (1108)
- Automatically verify links documentation (896)
- Kubernetes multi node testing environment (980)
- Massively reduced build&test time (982)
- Gather logfiles on failure (1017, 1045)
- Guarantee isolation in between VMs for separate PRs CI runs (1075)
- Cilium load balancer can now encapsulate packets and carry the service-ID in the packet (912)
- The filtering mechanism which decides which labels should be used for security identity determination now supports regular expressions (918)
- Extended logging information of L7 requests in proxy (964, 973, 991, 998, 1002)
- Improved rendering of cilium service list (934)
- Upgraded to etcd 3.2.1 (959)
- More factoring out of agent into separate packages (975, 985)
- Reduced cgo usage (1003, 1018)
- Improve logging of BPF generation errors (990)
- cilium policy trace now supports verbose output (1080)
- Include
bpf-map
tool in cilium container image (1088) - Carrying of security identities across the proxy (1114)
- Fixed use of IPv6 node addresses which are already configured on the systme (#819)
- Enforce minimal etcd and consul versions (911)
- Connection tracking entries now get automatically cleaned if new policy no longer allows the connection (794)
- Report status message in
cilium status
if a component is in error state (874) - Create L7 access log file if it does not exist (881)
- Report kernel/clang versions on compilation issues (888)
- Check that cilium binary is installed when agent starts up (892)
- Fix checksum error in service + proxy redirection (1011)
- Stricter connection tracking connection creation criteria (1027)
- Cleanup of leftover veth if endpoint setup failed midway (1122)
- Remove stale ids also from policy map (1135)
date: | 2017-05-23 |
---|---|
commit: | 1bfb6303f6fba25c4d22fbe4b7c35450055296b6 |
- Core
- New simplified policy language (670)
- Option to choose between a global (default) and per endpoint connection tracking table (659)
- Parallel endpoint BPF program & policy builds (424, 587)
- Fluentd logging integration (758)
- IPv6 proxy redirection support (818)
- Transparent ingress proxy redirection (773)
- Consider all labels for identity except dynamic k8s state labels (849)
- Reduced size of cilium binary from 27M to 17M (554)
- Add filtering support to
cilium monitor
(673) - Allow rule now supports matching multiple labels (638)
- Separate runtime state and template directory for security reasons (537)
- Ability to specify L4 destination port in policy trace (650)
- Improved log readability (499)
- Optimized connection tracking map updates per packet (829)
- New
--kvstore
and--kvstore-opt
flag (Replaces--consul, --etcd, --local
flags) (767) - Configurable clang path (620)
- Updated CNI to 5.2.0 (529)
- Updated Golang to 1.8.3 (853)
- Bump k8s client to v3.0.0-beta.0 (646)
- Kubernetes
- Support L4 filtering with v1beta1.NetworkPolicyPort (638)
- ThirdPartyResources support for L3-L7 policies (795, 814)
- Per pod policy enablement based on policy selection (815)
- Support for full LabelSelector (753)
- Option to always allow localhost to reach endpoints (auto on with k8s) (754)
- RBAC ClusterRole, ServiceAccount and bindings (850)
- Scripts to install and uninstall CNI configuration (745)
- Documentation
- Core
- Endpoints are displayed in ascending order (474)
- Warn about insufficient kernel version when starting up (505)
- Work around Docker <17.05 disabling IPv6 in init namespace (544)
- Fixed a connection tracking expiry a bug (828)
- Only generate human readable ASM output if DEBUG is enabled (599)
- Switch from package syscall to x/sys/unix (588)
- Remove tail call map on endpoint leave (736)
- Fixed ICMPv6 to service IP with LB back to own IP (764)
- Respond to ARP also when temporary drop all policy is applied. (724)
- Fixed several BPF resource leakages (634, 684, 732)
- Fixed several L7 parser policy bugs (512)
- Fixed tc call to specify prio and handle for replace (611)
- Fixed off by one in consul connection retries (610)
- Fixed lots of documentation typos
- Fix addition/deletion order when updating endpoint labels (647)
- Graceful exit if lack of privileges (694)
- use same tuple struct for both global and local CT (822)
- bpf/init.sh: More robust deletion of routes. (719)
- lxc endianess & src validation fixes (747)
- Kubernetes
- Correctly handle k8s NetworkPolicy matchLabels (638)
- Allow all sources if []NetworkPolicyPeer is empty or missing (638)
- Fix if k8s API server returns nil label (567)
- Do not error out if k8s node does not have a CIDR assigned (628)
- Only attempt to resolve CIDR from k8s API if client is available (608)
- Log error if invalid k8s NetworkPolicy objects are received (617)