fix(deps): update module github.com/cilium/cilium to v1.14.16 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.14.12 -> v1.14.16

GitHub Vulnerability Alerts

CVE-2024-42488

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

• All versions of Cilium before v1.14.14
• Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

• Cilium v1.14.14
• Cilium v1.15.8

Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-47825

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

• A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
• This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: block-scary-range
spec:
  endpointSelector: {}
  egressDeny:
  - toCIDRSet:
    - cidr: 1.0.0.0/8

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: evade-deny
spec:
  endpointSelector: {}
  egress:
  - toCIDR:
    - 1.1.1.2/32
  - toEntities:
    - all

Patches

This issue affects:

• Cilium v1.14 between v1.14.0 and v1.14.15 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.9 inclusive

This issue has been patched in:

• Cilium v1.14.16
• Cilium v1.15.10

Workarounds

Users with policies using enableDefaultDeny: false can work around this issue by removing this configuration option and explicitly defining any allow rules required.

No workaround is available to users with egress policies that explicitly specify toEntities: all.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​squeed, @​christarazi, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.14.16: 1.14.16

Compare Source

Summary of Changes

Bugfixes:

• datapath: Fix redirect from from L3 netdev to tunnel (Backport PR #​35265, Upstream PR #​33421, @​brb)
• Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #​35279, Upstream PR #​35109, @​jrajahalme)
• Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #​35279, Upstream PR #​35033, @​WeeNews)
• Fixes startup fatal error when updating CiliumNode resource. (Backport PR #​34916, Upstream PR #​34862, @​harsimran-pabla)

CI Changes:

• .github/lint-build-commits: fix workflow for push events (Backport PR #​35279, Upstream PR #​35264, @​aanm)
• .github: create cache directories on cache miss (Backport PR #​35176, Upstream PR #​35088, @​aanm)
• .github: do not push floating tag from PRs (Backport PR #​35229, Upstream PR #​35227, @​aanm)
• .github: install golang action after checkout (Backport PR #​35176, Upstream PR #​34843, @​aanm)
• .github: re-enable configurations in e2e-upgrade (Backport PR #​35176, Upstream PR #​34800, @​aanm)
• .github: specify cache-dependency-path in lint-workflows (Backport PR #​35176, Upstream PR #​34845, @​aanm)
• ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #​34916, Upstream PR #​34820, @​aanm)
• fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #​34916, Upstream PR #​34902, @​Artyop)

Misc Changes:

• .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #​35176, Upstream PR #​34847, @​aanm)
• .github: clean up disk for lint-build workflow (Backport PR #​35176, Upstream PR #​35141, @​aanm)
• .github: fix build image process to commit changes (Backport PR #​35279, Upstream PR #​35262, @​aanm)
• .github: fix lvh-kind warnings (Backport PR #​35176, Upstream PR #​34811, @​aanm)
• .github: fix runtime image digests (Backport PR #​35119, Upstream PR #​35107, @​aanm)
• .github: push floating tag for push events for stable branches (#​35234, @​aanm)
• [v1.14] contrib/scripts: set 755 permissions for builder.sh (#​35266, @​aanm)
• Change GH runners to GH's default (Backport PR #​35176, Upstream PR #​33451, @​aanm)
• chart: define the envoy image variable in the makefile (Backport PR #​35113, Upstream PR #​27725, @​weizhoublue)
• chore(deps): update all github action dependencies (v1.14) (#​35029, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​35087, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​35252, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.14) (#​35028, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.14) (#​35001, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.14) (#​35204, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1.16.2 (v1.14) (#​35242, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.14) (#​35093, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.8 (v1.14) (#​35205, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (#​35085, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (#​35108, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.14) (#​35220, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.14) (#​35285, @​cilium-renovate[bot])
• helm: set key usages for hubble certificates with cert-manager (Backport PR #​35038, Upstream PR #​34946, @​kaworu)
• images/builder: get rid of annoying git ownership warnings (Backport PR #​35279, Upstream PR #​31538, @​ti-mo)
• Improve speed on lint commits GH workflow (Backport PR #​35176, Upstream PR #​34848, @​aanm)
• Re-write GitHub cache usages across workflows (Backport PR #​35176, Upstream PR #​34866, @​aanm)

Other Changes:

• [v1.14] image: Update runtime, builder images (#​35097, @​sayboras)
• install: Update image digests for v1.14.15 (#​35050, @​cilium-release-bot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2
quay.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186
quay.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186

docker-plugin

docker.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d
quay.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d

hubble-relay

docker.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9
quay.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0
quay.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7
quay.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7

operator-aws

docker.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1
quay.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1

operator-azure

docker.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448
quay.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448

operator-generic

docker.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8
quay.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8

operator

docker.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef
quay.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef

v1.14.15: 1.14.15

Compare Source

We are happy to release Cilium v1.14.15!

This release brings us upstream filter chains for L7 LB policy enforcement, bugfixes, CI fixes and many many more! See summary of changes below!

Summary of Changes

Minor Changes:

• cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #​34458, Upstream PR #​32119, @​jrajahalme)
• docs: Update examples for CNP L7 Host (Backport PR #​34646, Upstream PR #​34578, @​sayboras)

Bugfixes:

• config: fix disabling config 'Debug' (Backport PR #​34471, Upstream PR #​34401, @​mhofstetter)
• envoy: fix log level mapping when changing log level via API (Backport PR #​34459, Upstream PR #​34400, @​mhofstetter)
• ipcache: Yet another refcounting fix with mix of APIs (Backport PR #​34713, Upstream PR #​34715, @​gandro)

CI Changes:

• .github: change nick-invision/retry -> nick-fields/retry. (#​34737, @​michi-covalent)
• ci: clean disk only on ubuntu-latest runners (Backport PR #​34829, Upstream PR #​34711, @​marseel)
• ci: Confromance E2E wait for images before matrix generation (Backport PR #​34829, Upstream PR #​34707, @​marseel)
• ci: multi pool run tests concurrently (Backport PR #​34364, Upstream PR #​33945, @​viktor-kurchenko)
• ci: Wait for images before generating test matrix (Backport PR #​34829, Upstream PR #​34727, @​marseel)
• Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #​34829, Upstream PR #​34650, @​Artyop)
• gha: Add disk cleanup step for build and test workflow (Backport PR #​34364, Upstream PR #​34339, @​sayboras)
• gha: Free up Github runner disk space (Backport PR #​34364, Upstream PR #​34247, @​sayboras)
• gha: Remove ci-aks workflow (#​34606, @​sayboras)

Misc Changes:

• [v1.14] hive: prevent goleak error due to race condition (#​34658, @​marseel)
• Add source IP visibility info to Ingress and Gateway API docs (Backport PR #​34369, Upstream PR #​34137, @​youngnick)
• Add source IP visibility info to Ingress and Gateway API docs (Backport PR #​34459, Upstream PR #​34137, @​youngnick)
• chore(deps): update all github action dependencies (v1.14) (#​34572, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​34763, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.14) (#​34120, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.14) (#​34508, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.14) (#​34885, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1.16.1 (v1.14) (#​34854, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.9 (v1.14) (#​34762, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.14) (#​34901, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to adbb901 (v1.14) (#​34697, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.16 (v1.14) (#​34905, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.7 (v1.14) (#​34734, @​cilium-renovate[bot])
• chore(deps): update kindest/node docker tag to v1.27.16 (v1.14) (#​34509, @​cilium-renovate[bot])
• chore: Avoid docker warning due to casing (Backport PR #​34859, Upstream PR #​34125, @​sayboras)
• cilium-dbg: add Envoy admin commands (Backport PR #​34495, Upstream PR #​34398, @​mhofstetter)
• docs: Avoid using wildcard TLS certificate (Backport PR #​34829, Upstream PR #​34609, @​sayboras)
• docs: Improve Ingress documentation (Backport PR #​34369, Upstream PR #​33698, @​youngnick)
• docs: Improve Ingress documentation (Backport PR #​34459, Upstream PR #​33698, @​youngnick)
• Documentation: Update readthedocs configuration (Backport PR #​34364, Upstream PR #​34190, @​joestringer)
• fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #​34459, Upstream PR #​34372, @​Artyop)
• images: fix path script (Backport PR #​34766, Upstream PR #​34764, @​aanm)
• ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #​34495, Upstream PR #​34221, @​jschwinger233)

Other Changes:

• [v1.14] CODEOWNERS: switch cilium/tophat to cilium/committers (#​34888, @​julianwiedmann)
• [v1.14] envoy: Bump envoy version from v1.29.7 to v1.29.9 (#​34963, @​sayboras)
• [v1.14] envoy: Switch to image with timestamp tag (#​34393, @​sayboras)
• envoy: Bump golang version (#​34329, @​sayboras)
• install: Update image digests for v1.14.14 (#​34377, @​cilium-release-bot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d
quay.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b
quay.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b

docker-plugin

docker.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f
quay.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f

hubble-relay

docker.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7
quay.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0
quay.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd
quay.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd

operator-aws

docker.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175
quay.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175

operator-azure

docker.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668
quay.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668

operator-generic

docker.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870
quay.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870

operator

docker.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f
quay.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f

v1.14.14: 1.14.14

Compare Source

Security Advisories

This release addresses GHSA-q7w8-72mr-vpgw.

Summary of Changes

Bugfixes:

• DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #​33815, Upstream PR #​33592, @​gandro)
• Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #​34184, Upstream PR #​34091, @​giorio94)
• Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #​33815, Upstream PR #​33735, @​giorio94)
• pkg/metrics: fix data race warning on metrics init hook. (Backport PR #​33963, Upstream PR #​33823, @​tommyp1ckles)
• Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #​31735, Upstream PR #​33551, @​julianwiedmann)
• The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #​34150, Upstream PR #​33666, @​bimmlerd)

CI Changes:

• [v1.14] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel (#​33737, @​julianwiedmann)
• gha: Add http client timeout in Ingress (Backport PR #​33815, Upstream PR #​33683, @​sayboras)
• gha: add spot input to setup-eks-cluster action (#​33848, @​giorio94)
• gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #​33963, Upstream PR #​33819, @​giorio94)
• gha: ensure that helm values.schema.json is not accidentally backported (Backport PR #​33963, Upstream PR #​33845, @​giorio94)
• gha: lint absence of trailing spaces in workflow files (Backport PR #​34150, Upstream PR #​33908, @​giorio94)
• gha: simplify the call-backport-label-updater workflow (Backport PR #​33963, Upstream PR #​33934, @​giorio94)
• test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #​34150, Upstream PR #​34004, @​tommyp1ckles)
• workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #​34150, Upstream PR #​33769, @​pchaigno)

Misc Changes:

• [v1.14] Update Docker dependency (#​34189, @​ferozsalam)
• chore(deps): update all github action dependencies (v1.14) (#​34054, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​34171, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.14) (#​33651, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.14) (#​34052, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.14) (#​33800, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.14) (#​33801, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1 (v1.14) (#​34055, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.6 (v1.14) (#​34264, @​cilium-renovate[bot])
• daemon/ipam: don't swallow parse error of CIDR (Backport PR #​33815, Upstream PR #​33283, @​bimmlerd)
• doc: update slack channel reference (Backport PR #​34150, Upstream PR #​34044, @​Huweicai)
• docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #​33815, Upstream PR #​33655, @​aditighag)
• docs: Extend LRP guide with troubleshooting section (Backport PR #​33815, Upstream PR #​33373, @​aditighag)
• docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #​33815, Upstream PR #​33626, @​giorio94)
• docs: Update LVH VM image pull instructions (Backport PR #​33815, Upstream PR #​33621, @​brb)
• Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #​33815, Upstream PR #​33708, @​Mais316)
• helm: Allow socket linger timeout to be set to zero (Backport PR #​33963, Upstream PR #​33887, @​gandro)
• renovate: onboard etcd image used in integration tests (Backport PR #​33815, Upstream PR #​33679, @​giorio94)

Other Changes:

• [v1.14] ci: use base and head SHAs from context in lint-build-commits workflow (#​34268, @​tklauser)
• [v1.14] Revert "docs: Update LRP feature status" (#​34239, @​ysksuzuki)
• chore(deps): update go to v1.22.5 (#​34073, @​YutaroHayakawa)
• Fix IPSec XfrmInStateProtoError errors on agent restart in cluster pool IPAM mode (#​34030, @​dylandreimerink)
• install: Update image digests for v1.14.13 (#​33746, @​cilium-release-bot[bot])

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637
quay.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135
quay.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135

docker-plugin

docker.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2
quay.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2

hubble-relay

docker.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac
quay.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41
quay.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49
quay.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49

operator-aws

docker.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80
quay.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80

operator-azure

docker.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51
quay.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51

operator-generic

docker.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2
quay.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2

operator

docker.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded
quay.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded

v1.14.13: 1.14.13

Compare Source

Summary of Changes

We are pleased to release Cilium v1.14.13, which includes and updated Hubble UI, as well as stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!

Minor Changes:

• ui: v0.13.1 release (Backport PR #​33227, Upstream PR #​32852, @​geakstr)

Bugfixes:

• envoy: Avoid short circuit backend filtering (Backport PR #​33534, Upstream PR #​33403, @​sayboras)
• Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #​32093, Upstream PR #​31840, @​julianwiedmann)
• Fix too many open Unix sockets (Backport PR #​33632, Upstream PR #​33569, @​chaunceyjiang)
• Generate SBOM from the correct release image (#​33051, @​ferozsalam)
• helm: Decouple sysctlfix from cgroup.autoMount (Backport PR #​33099, Upstream PR #​32866, @​YutaroHayakawa)
• ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport PR #​33632, Upstream PR #​33512, @​jasonaliyetti)
• IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport PR #​33530, Upstream PR #​33448, @​jrajahalme)
• Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #​33632, Upstream PR #​33551, @​julianwiedmann)
• Revert PR #​32244 which caused unintended side-effects that negatively impacted network performance. (Backport PR #​33377, Upstream PR #​33304, @​learnitall)
• socketlb: tolerate cgroupv1 when detaching bpf programs (Backport PR #​33632, Upstream PR #​33599, @​rgo3)
• Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport PR #​33632, Upstream PR #​33472, @​jasonaliyetti)

CI Changes:

• [v1.14] Disable release SBOM asset uploads (#​33073, @​ferozsalam)
• Bump CLI to v0.16.11 (Backport PR #​33530, Upstream PR #​33444, @​brb)
• ci: Add IPsec leak detection for ci-ipsec-e2e (Backport PR #​33048, Upstream PR #​32930, @​jschwinger233)
• ci: use env variable to store branch name (Backport PR #​33377, Upstream PR #​26779, @​ferozsalam)
• gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport PR #​33632, Upstream PR #​33509, @​julianwiedmann)
• gha: Only retrieve IPv4 CIDR from docker network (Backport PR #​33111, Upstream PR #​33093, @​sayboras)

Misc Changes:

• .github: add workflow for renovate to build base images (Backport PR #​33347, Upstream PR #​33326, @​aanm)
• .github: fix cloud workflows for renovate (Backport PR #​33322, Upstream PR #​33320, @​aanm)
• .github: fix worfklows used by renovate (Backport PR #​33316, Upstream PR #​33309, @​aanm)
• .github: fix workflows for on push (#​33369, @​aanm)
• [v1.14] - remove tracking of backports with MLH (#​33125, @​aanm)
• Add auto-merge for renovate for trusted dependencies (Backport PR #​33316, Upstream PR #​33287, @​aanm)
• build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (Backport PR #​33377, Upstream PR #​33218, @​dependabot[bot])
• build-images-base: cancel github runs based on branch name (Backport PR #​33377, Upstream PR #​33353, @​aanm)
• build-images-base: push to branch if pull request ref doesn't exist (Backport PR #​33377, Upstream PR #​33368, @​aanm)
• build-images: fetch artifacts with specific pattern (Backport PR #​33377, Upstream PR #​33216, @​aanm)
• chore(deps): update all github action dependencies (v1.14) (#​33188, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​33363, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​33496, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#​33636, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.11 (v1.14) (#​33652, @​cilium-renovate[bot])
• chore(deps): update cilium/scale-tests-action digest to 511e3d9 (v1.14) (#​33215, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.10 (v1.14) (#​32992, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.7 (v1.14) (#​33355, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to 2eb85b8 (v1.14) (#​33178, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to b405b62 (v1.14) (#​33339, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v5.4.0 (v1.14) (#​33019, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v6 (v1.14) (#​33206, @​cilium-renovate[bot])
• chore(deps): update go to v1.21.12 (v1.14) (#​33540, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.1.13 (v1.14) (#​33179, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​33007, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​33182, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​33362, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#​33635, @​cilium-renovate[bot])
• daemon: Allow DNS transparent mode to be turned off with encryption (Backport PR #​33530, Upstream PR #​33420, @​gandro)
• docs: Improve note on kube-apiserver entity limitations (Backport PR #​33530, Upstream PR #​33382, @​gandro)
• docs: ipsec: mention dependency on transparent mode for DNS proxy (Backport PR #​33099, Upstream PR #​33062, @​julianwiedmann)
• Documentation: accept ORG and REPO (Backport PR #​33530, Upstream PR #​33514, @​aanm)
• examples: Fix subject selector in ingress policy (Backport PR #​33377, Upstream PR #​33292, @​joestringer)
• Fix renovate's concurrency group (Backport PR [#&adds controller healthchecks #820

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: KubeArmor/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
github.com/containerd/containerd	v1.7.13 -> v1.7.20
github.com/docker/docker	v25.0.5+incompatible -> v27.1.1+incompatible
github.com/Microsoft/go-winio	v0.6.1 -> v0.6.2
github.com/distribution/reference	v0.5.0 -> v0.6.0
go.opentelemetry.io/otel	v1.25.0 -> v1.28.0
go.opentelemetry.io/otel/metric	v1.25.0 -> v1.28.0
go.opentelemetry.io/otel/trace	v1.25.0 -> v1.28.0