v2.4.1

Summary

Fixes a bug that was introduced in kube-router v2.3.0 and beyond when some of the code was refactored: #1778

Primarily affects routing to host services when navigating an IPIP tunnel. Thanks to @zerkms for finding and reporting this bug.

Changelog

• 4dafd5c fix(NRC): find all node IPs for NAT exclusion

v2.4.0

What's Changed

• .goreleaser.yml: Fix ldflag paths by @mrueg in #1770
• fix: avoid to use http.DefaultServeMux which includes defaults routes inited by go like /debug/pprof by @morlay in #1771
• build(deps): bump github.com/onsi/gomega from 1.35.1 to 1.36.0 by @dependabot in #1773
• build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in #1772
• feat(NSC): change service.local internal traffic policy posture by @aauren in #1774
• build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @dependabot in #1776

New Contributors

• @morlay made their first contribution in #1771

Full Changelog: v2.3.0...v2.4.0

v2.3.0

What's Changed

• fix: select ICMP version for common ICMP rules by @qbnit in #1713
• build(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #1717
• build(deps): bump github.com/onsi/gomega from 1.33.1 to 1.34.1 by @dependabot in #1716
• build(deps): bump golang.org/x/sys from 0.22.0 to 0.24.0 by @dependabot in #1718
• build(deps): bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 by @dependabot in #1722
• build(deps): bump github.com/docker/docker from 27.1.1+incompatible to 27.1.2+incompatible by @dependabot in #1721
• build(deps): bump github.com/coreos/go-iptables from 0.7.0 to 0.8.0 by @dependabot in #1727
• build(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.0 by @dependabot in #1725
• build(deps): bump github.com/onsi/gomega from 1.34.1 to 1.34.2 by @dependabot in #1726
• build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot in #1728
• build(deps): bump github.com/vishvananda/netlink from 1.2.1-beta.2 to 1.3.0 by @dependabot in #1729
• build(deps): bump github.com/prometheus/client_golang from 1.20.1 to 1.20.2 by @dependabot in #1731
• build(deps): bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in #1730
• build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 by @dependabot in #1734
• build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #1733
• build(deps): bump github.com/docker/docker from 27.2.0+incompatible to 27.2.1+incompatible by @dependabot in #1736
• build(deps): bump google.golang.org/grpc from 1.66.0 to 1.66.1 by @dependabot in #1735
• Enhance DSR docs aroung CRI socket mounting by @jnummelin in #1737
• Refactor: Abstract Node Info by @aauren in #1739
• build(deps): bump google.golang.org/grpc from 1.66.1 to 1.67.1 by @dependabot in #1744
• build(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 by @dependabot in #1740
• Remove some unused error fields from test cases by @twz123 in #1747
• More injectRoute() Preparation Refactors by @aauren in #1745
• build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #1753
• build(deps): bump github.com/docker/docker from 27.2.1+incompatible to 27.3.1+incompatible by @dependabot in #1743
• Fix various issues with refactors by @aauren in #1755
• fix(dsr): change grpc resolver to passthrough by @aauren in #1756
• build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5 by @dependabot in #1757
• build(deps): bump the k8s-dependencies group across 1 directory with 4 updates by @dependabot in #1758
• build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 by @dependabot in #1752
• build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 by @dependabot in #1759
• build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 by @dependabot in #1761
• Misc Fixes and Updates by @aauren in #1763
• build(deps): bump the k8s-dependencies group with 4 updates by @dependabot in #1764
• build(deps): bump golang.org/x/net from 0.30.0 to 0.31.0 by @dependabot in #1766
• build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 by @dependabot in #1768
• build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 by @dependabot in #1769

New Contributors

• @qbnit made their first contribution in #1713
• @jnummelin made their first contribution in #1737
• @twz123 made their first contribution in #1747

Full Changelog: v2.2.0...v2.3.0

v2.2.2

Summary

Just a small release that fixes DSR that has been broken on some container runtimes during the v2.X release line. See #1754 for more information.

Changelog

• 5179953 - fix(dsr): change grpc resolver to passthrough <Aaron U'Ren>

v2.2.1

What's Changed

• fix: select ICMP version for common ICMP rules by @qbnit in #1713

New Contributors

• @qbnit made their first contribution in #1713

Full Changelog: v2.2.0...v2.2.1

v2.2.0

Summary

In addition to a whole lot of dependency updates. The major update here is re-adding the missing ip6tables binary that was accidentally removed when we reverted Alpine 3.19 -> Alpine 3.18 as part of the v2.1.X line of releases.

Additionally, this also fixes a number of issues with IPv6 where there was:

• Some hard-coded /32 netmasks still in the code
• Specific IPv4 families hard-coded when looking for local interfaces
• Missing allowances for ICMPv6 neighbor discovery when network policies were applied
• An issue where bogus IPv6 routes were being added when service VIPs were added to the kube-dummy-if interface, causing traffic from the same node to no longer be able to route

Contributions

Thanks @ncopa and @mrueg for contributing to this release!

Also a big thanks to @k6av for reporting some critical issues with IPv6 support.

Changelog

• 5affda2 - feat(goreleaser): update goreleaser-action v5->v6 <Aaron U'Ren>
• a0442e5 - fix: allow basic ICMPv6 neighbor discovery <Aaron U'Ren>
• eac472c - feat(go.mod): update all deps to latest <Aaron U'Ren>
• b1a2fbf - feat(go): update 1.21.7 -> 1.22.3 <Aaron U'Ren>
• 285eb49 - build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 <dependabot[bot]>
• d091738 - build(deps): bump github.com/aws/aws-sdk-go from 1.55.4 to 1.55.5 <dependabot[bot]>
• 2522b4d - fix(getAllLocalIPs): get IPv6 & IPv4 addresses <Aaron U'Ren>
• 71072c1 - doc(NSC): add extra comments to setupHandlers call <Aaron U'Ren>
• b217e7b - fix(NSC): ensure kube-router owns kube-router-svip <Aaron U'Ren>
• 4f3e706 - build(deps): bump github.com/aws/aws-sdk-go from 1.51.32 to 1.55.4 <dependabot[bot]>
• 1cb9499 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• bab5725 - build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 <dependabot[bot]>
• e8962dd - fix(linux_networking.go): remove dangling IPv6 routes <Aaron U'Ren>
• 26b539e - fix(feature_request.md): update markdown templating <Aaron U'Ren>
• 84c3549 - fix(bug_report.md): update markdown templating <Aaron U'Ren>
• 94b17b8 - fix(utils.go): static /32 subnet mask reference <Aaron U'Ren>
• 787b906 - build(deps): bump google.golang.org/protobuf from 1.34.0 to 1.34.2 <dependabot[bot]>
• af93779 - build(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.1 <dependabot[bot]>
• 2ed68ac - build(deps): bump docker/build-push-action from 5 to 6 <dependabot[bot]>
• 4013d21 - fact(Dockerfile): fix linter warning for AS <Aaron U'Ren>
• a2d2e01 - fix(Dockerfile): re-add ip6tables binary <Aaron U'Ren>
• a1125f6 - fix: ensure that ipv6 is not disabled in kernel <Natanael Copa>
• f042d08 - build(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0 <dependabot[bot]>
• ab8c810 - build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 <dependabot[bot]>
• a6db642 - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>

v2.1.3

Summary

Another bugfix release. This one fixes an issue with TCP MSS clamping (e.g. packet MTU's not being properly negotiated during TCP handshake) and an issue where iptables wasn't properly identifying that rules existed in chains causing iptables definitions to increase with every call to sync NetworkPolicy ending up in linear growth of iptables rule definitions.

Contributions

Special thanks to @rkojedzinszky for fixing the TCP MSS clamping on DSR services.

Other Notes

The iptables definition growth was seemingly caused by iptables user-space tooling v1.8.10 which means that this likely only affected users of the kube-router container that was updated to alpine 3.19. User's using kube-router as a daemon outside a container runtime, may want to be wary of updating the iptables user-space to that version.

Changelog

• f6c45f3 - feat(alpine): revert 3.19 -> 3.18 <Aaron U'Ren>
• e980a17 - fix(nsc): remove previous TCPMSS rules during setting up DSR <Richard Kojedzinszky>
• defdf64 - fix(nsc): remove previous TCPMSS rules <Aaron U'Ren>
• b1070f1 - feat(nsc): apply TCPMSS rules on kube-bridge interface only <Richard Kojedzinszky>
• 5fdde06 - fix(nsc): TCPMSS rules are created per-service and for reply packets only <Richard Kojedzinszky>

v2.1.2

Summary

Fixes a problem where ipsets were not getting tracked correctly across different IP families for dual-stack clusters. This caused instances where communication with the pod would no longer work correctly after a pod, that had a NetworkPolicy applied to it, got a new IP address such as during restarts or the like.

Changelog

• 82f7917 - fix(ipset): reset ipset handler before use <Aaron U'Ren>
• d086841 - fact(ipset): simplify cleanup code by reducing family complexity <Aaron U'Ren>
• 28585f6 - fix(ipset.go): make IP families distinct in ipset handler <Aaron U'Ren>
• 2d2850a - feat(ipset.go): add set type and new line to debug msg <Aaron U'Ren>

v2.1.1

Summary

This release fixes a lot of issues that have been present since the release of v2.0.0. v2.0.0 has been gaining adoption slowly and it has only been recently that users have been reporting some of the issues related with dual-stack configurations.

The big additions for this release include:

• Fixing broken compatibility with iptables-legacy systems experienced with the upstream kube-router container since version v2.1.0 (which is when Alpine 3.19 was introduced). There are now tests to ensure that this type of regression doesn't happen again.
• Fixes IPv6 network policy which has been substantially broken since v2.0.0. When IPv6 network policy was introduced, it was missed that iptables statements need to reference these sets via the inet6 prefix in order to use them correctly. As such, most network policies were not correctly applying.
• kube-router no longer activates the hairpin controller which was introduced in v2.1.0, instead relying on user's correctly configuring their CNI with hairpinMode: true (see https://www.kube-router.io/docs/user-guide/#hairpin-mode for more details)
• Adds fallback logic for referencing rt_tables, the path of which changed in versions of iproute2 v6.5.0 and above. Users that have newer systems, enable DSR, and run kube-router within a container should check to ensure this file is mounted correctly within the kube-router container.
• kube-router no longer tries and fails to enter pods to setup DSR for pods that are not scheduled on it's node
• kube-router no longer tries and fails to setup DSR for pods that are part of the host's network
• Fixes --cleanup-config mode which has been broken since v2.0.0 (please see docs for updated examples of how to run this from within a container)

Special Note for Users that Run Hairpin Mode Enabled Services

If you use hairpin mode either as a service annotation or a CLI parameter to kube-router, we recommend that you check your CNI configuration file to ensure that you are setting "hairpinMode":true on the bridge CNI plugin. This is the only way that hairpin mode will work correctly as the previous hairpin controller built into kube-router has now been disabled as it was a tricky implementation and had significant problems with irregular containers.

If you find that you need to add this to your CNI config file, please ensure that kubelet has been restarted, and that any pods that rely on hairpinning have been restarted as well.

See https://www.kube-router.io/docs/user-guide/#hairpin-mode for more information.

Contributions

A big thanks @elchenberg & @xujunjie-cover for contributing fixes for this release!

Changelog

• e42792f - kubeadm-kuberouter-all-features-dsr.yaml: update to include hairpinMode <Aaron U'Ren>
• 317c754 - fix(hairpin): rely on CNI hairpin mode <Aaron U'Ren>
• 9d9b796 - fix(service_endpoints_sync): bail out of DSR when HostNetwork detected <Aaron U'Ren>
• a633849 - feat(NSC.utils): add getPodListForService & getServiceForServiceInfo <Aaron U'Ren>
• b270750 - fact: nsc.getPodObjectForEndpoint -> nsc.getPodObjectForEndpointIP <Aaron U'Ren>
• 567c891 - fix(linux_networking): add more information to errors <Aaron U'Ren>
• e40f46e - fix(user-guide.md): update cleanup example <Aaron U'Ren>
• ecaad2c - fix(cleanup): add missing handlers for cleanup <Aaron U'Ren>
• 7755b4a - fix(node.go): improve logic for GetNodeObject <Aaron U'Ren>
• d12f422 - fix(policy): generate ipv6 names correctly <Aaron U'Ren>
• 2c7151b - fix(policy.go): use new utility method ipSetName <Aaron U'Ren>
• c762eaf - feat(ipset): add more name utilities <Aaron U'Ren>
• ada3179 - fix: wrong ipset name used by ip6tables. <xujunjie-cover>
• b423b1f - feat(NSC): ensure rp_filter is set correctly <Aaron U'Ren>
• af1b07a - fix(service_endpoints_sync.go): error to be indicative of failure type <Aaron U'Ren>
• 421a113 - fix(DSR): setup DSR inside pod on local eps only <Aaron U'Ren>
• 886c1d7 - feat(Dockerfile): use iptables-wrapper go binary <elchenberg>
• 683ef6e - feat(Dockerfile): remove obsolete nsswitch.conf creation <elchenberg>
• c685f2f - feat(Dockerfile): add checks for required binaries <elchenberg>
• b1cc158 - fix(Dockerfile): install iptables-legacy package <elchenberg>
• 4b011db - Fix typo <Jean-Philippe Evrard>
• 5b4975b - build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.25.0 <dependabot[bot]>
• f37444f - build(deps): bump golang.org/x/net from 0.22.0 to 0.24.0 <dependabot[bot]>
• 8ab6f49 - build(deps): bump google.golang.org/grpc from 1.62.0 to 1.63.2 <dependabot[bot]>
• bd640c3 - build(deps): bump github.com/aws/aws-sdk-go from 1.51.11 to 1.51.21 <dependabot[bot]>
• 1bae5d5 - build(deps): bump actions/stale from 8 to 9 <dependabot[bot]>
• b1f7b9a - build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 <dependabot[bot]>
• 58fe139 - build(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 <dependabot[bot]>
• 5c871a5 - build(deps): bump docker/setup-buildx-action from 2 to 3 <dependabot[bot]>
• 5fc2914 - build(deps): bump github.com/aws/aws-sdk-go from 1.51.2 to 1.51.11 <dependabot[bot]>
• a737576 - build(deps): bump docker/login-action from 2 to 3 <dependabot[bot]>
• 260759f - build(deps): bump actions/setup-go from 4 to 5 <dependabot[bot]>
• 1db3438 - fix: rt_tables -> rt-tables in daemonset examples <Aaron U'Ren>
• 7092060 - fix(rt_tables): add path fallback logic <Aaron U'Ren>
• 7f67791 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 0a2a9d4 - build(deps): bump github/codeql-action from 2 to 3 <dependabot[bot]>
• 614d472 - doc(DSR): add /etc/iproute2/rt_tables caveat <Aaron U'Ren>
• 1909918 - build(deps): bump the k8s-dependencies group with 4 updates <dependabot[bot]>
• f9d1528 - build(deps): bump docker/setup-qemu-action from 2 to 3 <dependabot[bot]>
• 603afce - build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 <dependabot[bot]>
• 49bde6e - build(deps): bump goreleaser/goreleaser-action from 4 to 5 <dependabot[bot]>
• ef10568 - build(deps): bump docker/build-push-action from 4 to 5 <dependabot[bot]>
• 1811ae8 - build(deps): bump github.com/aws/aws-sdk-go from 1.50.30 to 1.51.2 <dependabot[bot]>
• 4818624 - build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 <dependabot[bot]>
• 8c5bdbf - build(deps): bump actions/checkout from 3 to 4 <dependabot[bot]>
• 785f814 - dependabot: Group kubernetes dependencies <Manuel Rüger>
• 5bbbd13 - doc(CONTRIBUTING.md): fix relative link <Aaron U'Ren>
• cff45a6 - docs(index.md): improve styling <Aaron U'Ren>

v1.6.1

Just some small fixes for DSR on the v1.6.X release line.

Changelog

• 4d8eecd - feat(ci.yml): don't update latest tag for v1.6 releases <Aaron U'Ren>
• a382475 - fix(rt_tables): add path fallback logic <Aaron U'Ren>