1.14.8

We are pleased to release Cilium v1.14.8.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

• GHSA-68mj-9pjq-mc85
• GHSA-j89h-qrvr-xc36
• GHSA-v6q2-4qr3-5cw6

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

• Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30835, Upstream PR #28723, @julianwiedmann)
• Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31337, Upstream PR #31205, @squeed)

Bugfixes:

• endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #31000, Upstream PR #30170, @oblazek)
• Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31048, Upstream PR #30909, @aanm)
• Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31186, Upstream PR #30837, @jschwinger233)
• Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31160, Upstream PR #29530, @jschwinger233)
• Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31160, Upstream PR #29594, @jschwinger233)
• Fixes proxy issues in egress direction (Backport PR #31160, Upstream PR #30095, @jschwinger233)
• helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #31000, Upstream PR #30970, @iandrewt)
• Policy revert used in rare error cases has been corrected. (Backport PR #30882, Upstream PR #29162, @jrajahalme)
• srv6: Fix packet drop with GSO type mismatch (Backport PR #30800, Upstream PR #30732, @YutaroHayakawa)
• xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31156, Upstream PR #31061, @sayboras)

CI Changes:

• Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed (#30912, @giorio94)
• ci-e2e: restore 6.1 kernels (#30862, @lmb)
• ci/ipsec: Fix downgrade version retrieval (Backport PR #31048, Upstream PR #30742, @qmonnet)
• ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30864, Upstream PR #30790, @brlbil)
• CI: Update tested K8S versions across all cloud providers (Backport PR #30864, Upstream PR #30795, @brlbil)
• Fix datapath mode in Network Performance CI test (Backport PR #30864, Upstream PR #30756, @marseel)
• workflows: Clean IPsec test output (Backport PR #30800, Upstream PR #30759, @pchaigno)

Misc Changes:

• bgpv1: Remove disruptive error handling from BGPRouterManager (#30765, @YutaroHayakawa)
• bgpv1: Remove or downgrade noisy logs (Backport PR #31000, Upstream PR #30868, @YutaroHayakawa)
• bitlpm: Factor out common code (Backport PR #31156, Upstream PR #31026, @jrajahalme)
• bpf: host: optimize from-host's ICMPv6 path (Backport PR #31186, Upstream PR #31127, @julianwiedmann)
• bpf: host: skip from-proxy handling in from-netdev (Backport PR #31160, Upstream PR #29962, @julianwiedmann)
• bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31160, Upstream PR #29721, @julianwiedmann)
• bpf: minor ICMPv6 improvements (Backport PR #31186, Upstream PR #26563, @julianwiedmann)
• bugtool: Capture memory fragmentation info from /proc (Backport PR #31156, Upstream PR #30966, @pchaigno)
• Bump google.golang.org/protobuf (v1.14) (#31314, @ferozsalam)
• chore(deps): update actions/download-artifact action to v4.1.3 (v1.14) (#30989, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#30954, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#31114, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#31294, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#31136, @renovate[bot])
• chore(deps): update all github action dependencies to v4 (v1.14) (major) (#30782, @renovate[bot])
• chore(deps): update all-dependencies (v1.14) (#30952, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.14) (#30861, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.14) (#31173, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.14) (#31291, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.14) (#30739, @renovate[bot])
• chore(deps): update go to v1.21.7 (v1.14) (#30953, @renovate[bot])
• chore(deps): update go to v1.21.8 (v1.14) (#31184, @renovate[bot])
• chore(deps): update hubble cli to v0.13.2 (v1.14) (#31339, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.14) (#30979, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#30653, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#31137, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#31293, @renovate[bot])
• container/bitlpm: Add Lookup Boolean Return Value (Backport PR #31156, Upstream PR #31037, @nathanjsweet)
• docs: Document XfrmInStateInvalid errors (Backport PR #30800, Upstream PR #30151, @pchaigno)
• docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31156, Upstream PR #30462, @saintdle)
• identity/cache: only call SortedList for release (Backport PR #30864, Upstream PR #27796, @bimmlerd)
• images: bump cni plugins to v1.4.1 (#31349, @aanm)
• lbipam: copy slice before modification in (*LBIPAM).handlePoolModified (Backport PR #31000, Upstream PR #30859, @tklauser)
• loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR #31156, Upstream PR #31025, @julianwiedmann)
• pkg: Add Bitwise LPM Trie Library (Backport PR #30864, Upstream PR #29717, @nathanjsweet)
• pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31160, Upstream PR #29761, @julianwiedmann)
• slices: don't modify input slices in test (Backport PR #31000, Upstream PR #30677, @tklauser)

Other Changes:

• [v1.14] bpf: nodeport: add missing ifindex in NAT trace event (#31022, @julianwiedmann)
• [v1.14] envoy: Bump golang version to 1.21.8 (#31222, @sayboras)
• [v1.14] iptables: Read CNI chaining mode from CNI config manager (#31265, @pippolo84)
• cli: Replace --cluster-name with --helm-set cluster.name (#31177, @michi-covalent)
• install: Update image digests for v1.14.7 (#30752, @michi-covalent)
• Upgrade GoBGP to v3.23.0 and backport #28293 (#30793, @YutaroHayakawa)
• v1.14: WG L7 (#31267, @brb)