v2.8.1

Summary

v2.8.1 is a patch with a security fix to remove the logging of node BGP annotations when verbose logging is enabled (--v=2) as these annotations can contain BGP passwords. This issue was introduced in 2.7.0.

Contributions

Thanks to @offset for both reporting the issue and coming up with the proposed fix with this advisory.

Changelog

• bed22a2 Merge pull request #2052 from cloudnativelabs/advisory-fix-1

v2.8.0

Security Notice

This release contains an important security fix. A GitHub Security Advisory (GHSA) & CVE with full details will be
published soon. We are releasing the fix ahead of the advisory to give operators time to upgrade.

Edit on 3/17/2026 - This release addresses the vulnerabilities found and reported by @b0b0haha and @j311yl0v3u (thank you!) via GHSA-phqm-jgc3-qf8g and CVE-2026-32254

We strongly recommend that all users upgrade to v2.8.0 as soon as possible. This is especially critical for
multi-tenant clusters or clusters where untrusted users have the ability to create or modify Service resources.

If you have questions or concerns, please reach out via the #kube-router channel on
Kubernetes Slack or email admin@kube-router.io.

Breaking Changes

Service IP Range Validation on by Default

This release introduces a new command-line flag which is by default enabled:

• --strict-external-ip-validation (default: true) -- When enabled, externalIPs and loadBalancerIPs on Service
  resources are validated against the configured --service-external-ip-range and --loadbalancer-ip-range flags.
  IPs that fall outside the allowed ranges or that conflict with the cluster IP range are rejected. When no ranges are
  configured and strict mode is enabled, all externalIPs and loadBalancerIPs are rejected (default-deny). We recommend
  enabling this flag on all clusters.

See the user guide for configuration details.

For this release the kube-router team STRONGLY recommends that you either:

• Have all of your service ranges defined correctly via the --service-external-ip-range and --loadbalancer-ip-range flags
  and ensure that all of your current services have VIPs that are contained in the ranges defined before upgrading to v2.8.0
• Set --strict-external-ip-validation=false as one of your options to kube-router before upgrading to v2.8.0. Note
  doing this in a multi-tenant cluster is not recommended by the project.

Prometheus Metric Changes

kube_router_controller_bgp_peers has been replaced with the new metric kube_router_bgp_peer_info which contains
more information about the peer's state as well as includes externally configured peers (whereas the previous metric
only showed kube-router based peering info).

Summary

v2.8.0 brings a security hardening release focused on service IP validation, along with SCTP support, a new BGP peer
info metric, and extensive documentation improvements.

Additionally, with this release the kube-router project officially welcomes @catherinetcai to our small maintainer
group! Big thanks for all of the support she's already provided and we look forward to seeing how she improves
kube-router in the months / years to come. :)

SCTP Support

kube-router now supports the SCTP protocol in Service resources, extending the existing TCP and UDP support. This includes
proper handling in IPVS service proxy, iptables rules, and node port specifications.

BGP Peer Info Metric

A new Prometheus metric kube_router_bgp_peer_info has been added, providing detailed information about BGP peer
state. The previous controller_bgp_peers metric name has been replaced.

Documentation Overhaul

This release includes a significant documentation refresh:

• Updated and modernized the user guide, architecture docs, and troubleshooting guide
• Added table of contents to long-form documentation
• Corrected spelling and grammar throughout
• Added a code of conduct and pull request template
• Added AI agent guidelines for contributors
• Added a supported versions statement
• Updated the architecture diagram to include the Load Balancer Allocator controller

Contributions

Thanks to the community members who contributed to this release:

• SCTP support: @damex
• BGP peer info metric: @damex

Changelog

• 0e94d43 - doc(user-guide.md): add service IP validation to table of contents <Aaron U'Ren>
• a1f0b2e - fix: validate external IPs and LB IPs against configured ranges <Aaron U'Ren>
• 06cff2e - doc: remove slashes from headings to fix website generation <Aaron U'Ren>
• 193bef9 - doc: update architecture diagram with lbc <Aaron U'Ren>
• dec6b7d - chore(.gitignore): add a place for personal scripts <Aaron U'Ren>
• 4ff7c86 - doc: add a statement about supported versions of kube-router <Aaron U'Ren>
• 070d956 - feat(lint): add basic typos checker to ensure less spelling mistakes in the future <Aaron U'Ren>
• 1df7ecd - doc: add table of contents to long markdown files <Aaron U'Ren>
• 2f26e67 - doc(troubleshoot.md): add content to the guide <Aaron U'Ren>
• 3e193a7 - doc: correct spelling and grammar mistakes <Aaron U'Ren>
• 06b0b74 - doc: update and modernize documentation <Aaron U'Ren>
• e4b356c - doc(CODE_OF_CONDUCT.md): add a basic code of conduct <Aaron U'Ren>
• b5b1081 - doc(development): update / clarify development / contribution practices <Aaron U'Ren>
• f566822 - chore: add Cat C (catherinetcai) to maintainer list <Aaron U'Ren>
• 39efb92 - feat: add support for SCTP <Roman Kuzmitskii>
• 62d1788 - chore(PULL_REQUEST_TEMPLATE.md): add a pull request template to help guide users towards adhering to the AI policy <Aaron U'Ren>
• ac57ed5 - doc(ai): add AI documentation and usage guidelines with AGENTS file <Aaron U'Ren>
• f05ae5a - doc(metrics.md): replace controller_bgp_peers -> bgp_peer_info <Aaron U'Ren>
• b1a34ed - feat(gobgp): add kube_router_bgp_peer_info metric <Roman Kuzmitskii>
• b40e947 - build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 <dependabot[bot]>
• 5cee14c - build(deps): bump goreleaser/goreleaser-action from 6 to 7 <dependabot[bot]>

v2.7.1

Summary

Fixes a minor issue with AWS where source / destination checking wasn't being disabled correctly since version 2.6.0 until now.

Changelog

• fda5ebc fix(aws.go): load region before attempting to assume a role

v2.7.0

Summary

Welcome to another full minor release update of kube-router! This one comes with several large-ish fixes along with a
few improvements to functionality.

First off the major dependency version changes:

• Bump Go 1.25.1 -> 1.25.7
• CNI plugins v1.8.0 -> v1.9.0
• GoBGP 3.37.0 -> 4.2.0
• Add bugfixes to iptables wrapper script from upstream

Node Annotation Consolidation

v2.7.0 also comes with a major change to the way BGP peers can be configured via node annotations. Node annotations can
still be configured with the previous method of comma separated values. However, they can also now be configured using a
consolidated embedded yaml form:

kubectl annotate node <kube-node> \
kube-router.io/peers="$(cat <<'EOF'
- remoteip: 192.168.1.99
  remoteasn: 65000
  password: U2VjdXJlUGFzc3dvcmQK
- remoteip: 192.168.1.100
  remoteasn: 65000
  password: U2VjdXJlUGFzc3dvcmQK
EOF
)"

See using consolidated annotations for more information.

Other Notable Changes

• Add better unit testing to Network Services Controller (--run-service-proxy) to prevent future regressions - This
  hopefully helps curb one of the largest sources of functionality regressions over the past several years within
  kube-router
• Configure AFI SAFI for dual stack clusters regardless of graceful restart setting - Previously, this was configured for the
  primary IP family (becuase GoBGP does this by default), but the secondary family would only get AFI SAFI
  configurations if graceful restart was configured (--bgp-graceful-restart)
• Correctly configure TCPMSS for IPv6 tunnels - Previously TCPMSS clamping was a one-size-fits-all based on the size of
  IPv4 headers. Now they are properly configured per family
• Retry certain netlink calls which fixes early start race conditions - Some users noticed a race condition on ip link
  setup when kube-router was starting as the node's OS was also starting. This should fix that edge case.

Contributions

Thanks to all of the community members that helped contribute to this release! Your volunteered time is what makes open
source projects like this one still viable!

Contributors to this release:

• Documentation fixes: @xieyubo
• Go Safecast bug fixes and unit test efficiencies: @ccoVeille
• Consolidated node annotations & fixing netlink retries: @catherinetcai
• Fix TCPMSS clamping for IPv6: @rkojedzinszky
• Keeping all of our dependencies up to date and helping with our builds: @mrueg

Changelog

• da98050 - feat(go): other misc dep updates <Aaron U'Ren>
• ff8ad4c - feat(Dockerfile): bump IPTABLES wrapper version to latest <Aaron U'Ren>
• ae9c04c - feat(gobgp): update v3.37.0 -> v4.2.0 <Aaron U'Ren>
• f56f307 - feat(Makefile): bump CNI plugins v1.8.0 -> v1.9.0 <Aaron U'Ren>
• 93590ba - feat(Makefile): bump goreleaser v2.12.2 -> v2.13.3 <Aaron U'Ren>
• 8edde99 - feat(Makefile): bump golangci-lint v2.4.0 -> v2.8.0 <Aaron U'Ren>
• 4acb902 - feat(go): update go 1.25.1 -> 1.25.7, alpine 3.22 -> 3.23 <Aaron U'Ren>
• a1e6de9 - test(NSC): add endpoint checking to tests that need them <Aaron U'Ren>
• 3157e85 - test(NSC): fix two DSR service tests to create pods <Aaron U'Ren>
• ca6b644 - test(NSC): mock netlink calls - attempt 1 <Aaron U'Ren>
• b9cd0de - test(NSC): add DSR unit tests - series 1 <Aaron U'Ren>
• 10f366a - test(NSC): implement traffic policy unit testing <Aaron U'Ren>
• 0486807 - fix(NSC): cleanup historical bad IPv6 TCPMSS vals <Aaron U'Ren>
• 8aaba65 - test(NSC): add comprehensive TCPMSS unit tests <Aaron U'Ren>
• d208307 - fact(test): reuse existing ValToPtr functions <Aaron U'Ren>
• ae39f27 - fact(NSC): use LinuxNetworkingMock instead of creating a new one <Aaron U'Ren>
• 59814eb - fix: convert ginkgo tests to standard go tests <Aaron U'Ren>
• 790d53e - fact(bgp_peers.go): migrate for loop -> slices.Contains <Aaron U'Ren>
• 827cb4a - fix(BGP): always configure AFI SAFI <Aaron U'Ren>
• 4dc20bd - feat(retry.go): add debug logging to retries <Aaron U'Ren>
• ee0940b - fix(dsr): set TCPMSS based on address family <Richard Kojedzinszky>
• b56e3dd - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• f767c10 - build(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0 <dependabot[bot]>
• c3af973 - build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.0 to 1.41.1 <dependabot[bot]>
• 8a97044 - build(deps): bump google.golang.org/grpc from 1.76.0 to 1.78.0 <dependabot[bot]>
• 4fb0b62 - chore: Use context instead of deprecated golang.org/x/net/context <Cat C>
• fef6c4f - doc(user-guide.md): use obvious kubernetes master port <Aaron U'Ren>
• 5ba705e - docs: Add GoDoc comments for all wrapper functions <Cat C>
• 440ad4d - fix: Replace all netlink functions that throw ErrDumpInterrupted with a retry wrapper <Cat C>
• 50a18d6 - build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 <dependabot[bot]>
• 75a79f2 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 3ac9b5c - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• cda88e5 - build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.40.1 to 1.41.0 <dependabot[bot]>
• 42e954b - feat(ci): attempt to reduce permissions to least privs <Aaron U'Ren>
• a8326ca - fix(nrc): Update make test-pretty to test internal subdirectory. Update nlretry and LocalLinkQuerier interface to support passing in contexts <Cat C>
• 8ea5e44 - fix(nrc): Add netlink.Handle wrapper to retry netlink calls that raise ErrDumpInterrupted errors <Cat C>
• 56f269b - doc(SECURITY.md): add initial policy <Aaron U'Ren>
• ed79de5 - feat(NRC): Restructures the PeerConfig struct introduced in the previous commit to make the API easier to understanding and use. <Cat C>
• 9e091b8 - feat(NRC): This commit adds support for a consolidated annotation for configuring a node's BGP peer settings while maintaining backwards support for the existing annotations to address #1393. <Cat C>
• 229de73 - build(deps): bump golang.org/x/sys from 0.38.0 to 0.39.0 <dependabot[bot]>
• 2ecdcae - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• a6c7050 - build(deps): bump github.com/onsi/gomega from 1.38.2 to 1.38.3 <dependabot[bot]>
• 36bcd1f - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• 5ad2110 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 5c7215d - fact(service.go): modernize interface{} -> any <Aaron U'Ren>
• 952e438 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 10efc0c - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• dba1773 - build(deps): bump github.com/hashicorp/go-version from 1.7.0 to 1.8.0 <dependabot[bot]>
• 1ce59e7 - build(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0 <dependabot[bot]>
• ed5e61e - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 95faa5c - build(deps): bump the k8s-dependencies group with 4 updates <dependabot[bot]>
• 41f2179 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 2645ba4 - build(deps): bump actions/checkout from 5 to 6 <dependabot[bot]>
• e06ddcc - feat(test): use safecast.RequireConvert as a replacement for safecast.Convert in tests <ccoVeille>
• 00b4619 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 7da6510 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• 9d150b9 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 2558974 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 1e8976b - build(deps): update github.com/ccoveille/go-safecast to v2.0.0 <ccoVeille>
• e8a59fd - build(deps): bump github.com/ccoveille/go-safecast to 1.8.1 <ccoVeille>
• 2ffdb15 - build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 <dependabot[bot]>
• cd1cb08 - build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10 <dependabot[bot]>
• cbe58ef - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 66f8527 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 08858fe - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 61b543b - build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 <dependabot[bot]>
• df7a5e5 - build(deps): bump github/codeql-action from 3 to 4 <dependabot[bot]>
• 8628aed - doc(kubeadm.md): correct kube-proxy image address to match the one used in crt run command. <xyb>
• ac629d5 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 5a5c436 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• 3ad43c6 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 730364c - build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.39.0 to 1.39.2 <dependabot[bot]>

v2.6.3

Summary

Small bug fix release that fixes:

• Service proxy where the ownerReference doesn't match the kubernetes.io/service-name label (kube-router used to ignore the service, but now it continues with a debug level warning)
• Missing root cause errors on node IP address query errors
• BGP announcements for IPv6 only clusters

Contributions

Thanks to @abbshr for fixing route advertisements in IPv6 only clusters and to @zerkms for reporting several errors in kube-router logic.

Changelog

• b72910c - fix(service.go): rely on LabelServiceName only <Aaron U'Ren>
• 0155169 - fix(node.go): embed root cause errors in returned errors <Aaron U'Ren>
• acd0a94 - fix: do not advertise Pod IPv4 CIDR in a Cluster composed of IPv6-only Nodes) <sunhuanran>

v2.6.2

Summary

Fixes several ipset regressions that were introduced in release v2.6.1. This release also introduces regression tests that should hopefully be complete enough to catch any future errors of this kind from happening again in the future.

Contributions

Special thanks to @tomahzo for finding and fixing the missing ipset in for local IPs.

Changelog

• 09239b0 - fix(ipset): don't strip inet6 prefixing of ipsets <Aaron U'Ren>
• b6eedd9 - feat(test): introduce gotestsum to make output readable <Aaron U'Ren>
• e89f21a - test(ipset): add unit tests for ipset regression testing <Aaron U'Ren>
• e068f30 - feat(test): add testdata for verifying ipset data <Aaron U'Ren>
• 65f7f9b - fix(ipset): store kube-router-local-ips ipset <Bukal, Tomáš>

v2.6.1

Summary

Fixes a bug where kube-router would modify ipsets from other system applications. This change removes ipsets that don't belong to kube-router before writing them out for ipset to restore.

This isn't a new bug, this is the same functionality that kube-router has had for years, but has recently become more problematic with certain applications (like Istio) also attempting to modify ipsets around the same time that kube-router does.

Changelog

• 92572c7 fix(ipset): ignore non-kube-router ipsets

v2.6.0

Summary

It has been more than half a year since our last official kube-router release, so I think we're more than past time to do so. Additionally, there have been quite a few items that have been fixed or upgraded.

Highlights & Changed Functionality

• The Network Services Controller (enabled via --run-service-proxy) now fetches metrics when the metrics URL is hit rather than on the sync period (--ipvs-sync-period). This allows for more fine-grained and up-to-date metrics on IPVS services. (Thanks @rkojedzinszky!)
• Service's externalIP and LoadBalancerIP are now labels on IPVS metrics which can increase cardinality, but also provides better visibility for services. Prior to this, only the ClusterIP or NodePort labels were added to metrics.
• The GoBGP port can be changed or disabled via --gpbgp-admin-port to create more secure / flexible deployments of kube-router
• We converted a lot of exec's out to iproute2 into netlink library calls, making the code more idiomatic, faster, and less fragile to userspace tooling changes
• When both DSR and Maglev is enabled on a service kube-router will automatically enable the kernel option sloppy_tcp for IPVS which allows for greater service routing consistency when transitioning nodes (Thanks @AnupamGhosh!)
• All references to Endpoints has been removed since the API is now fully deprecated and EndpointSlices is now used behind the scenes

Fixed Issues

• 1895 - IPv6 NDP NA/NS dropped when using egress network policy
• 1875 - Collect service statistics real-time
• 1888 - Resilience to TCP SYN Node Loss
• 1816 - support change the default port of GoBGP
• 1614 - Fix CLI Options - --master doesn't work without --kubeconfig

Library Updates

• Go Version: 1.23.6 -> 1.25.1
• Alpine Version: 3.21 -> 3.22
• Go Releaser Version: v2.5.0 -> v2.12.2
• GoBGP Version: v3.29.0 -> v3.37.0
• CNI Plugin Version: v1.6.2 -> v1.8.0
• Kubernetes Libraries: v1.31.3 -> v1.34.1

Contributions

Special thanks to @rkojedzinszky, @AnupamGhosh, @qbnit0 for contributing to kube-router and helping make this release possible!

Changelog

• 8bf2e56 - feat(cni): update v1.6.2 -> v1.8.0 <Aaron U'Ren>
• b04463f - feat(moq): update v0.5.1 -> v0.6.0 <Aaron U'Ren>
• b1b3f93 - feat(goreleaser): update v2.12.2 -> v2.5.0 <Aaron U'Ren>
• a4fb70a - feat(lint): update golangci-lint v2.0.2 -> v2.4.0 <Aaron U'Ren>
• ec5c41d - feat(markdown): update linter from 0.39.0 -> 0.45.0 <Aaron U'Ren>
• 727ff28 - feat(actions): update stale v9 -> v10 <Aaron U'Ren>
• 97138fd - feat(actions): update setup-go v5 -> v6 <Aaron U'Ren>
• d691aaa - feat(alpine): update 3.21 -> 3.22 <Aaron U'Ren>
• 4d41eb6 - feat(go): update go 1.24 -> 1.25 + mods <Aaron U'Ren>
• 94e72aa - fix(NPC): allow bi-directional ipv6 network discovery <Aaron U'Ren>
• bafe940 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 0855bbe - build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.8 <dependabot[bot]>
• 16d7e2b - build(deps): bump the k8s-dependencies group across 1 directory with 4 updates <dependabot[bot]>
• cb3ada2 - build(deps): bump k8s from 0.31.3 -> 0.33.3 <Aaron U'Ren>
• d7214ce - feat(Endpoints): convert Endpoints -> EndpointSlices <Aaron U'Ren>
• bb9835a - feat(lballoc_test.go): make mock informer satisfy SharedIndexInformer interface <Aaron U'Ren>
• 21719d2 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• af1984a - build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10 <dependabot[bot]>
• a5c9404 - build(deps): bump github.com/onsi/gomega from 1.38.0 to 1.38.2 <dependabot[bot]>
• 36b6634 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• ab81c6e - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
• 732d7a7 - fix(nsc): add loadbalancer IPs to metrics <Aaron U'Ren>
• c2fd633 - fix(nsc): sync field name <Richard Kojedzinszky>
• b4a9ba7 - fix(nsc): rename network_services_metrics.go <Richard Kojedzinszky>
• 7533c18 - feat(nsc): getMetricsServiceMap() rebuilds only after services changed <Richard Kojedzinszky>
• 5efb999 - feat(nsc): replace unsafe.Pointer with atomic.Pointer <Richard Kojedzinszky>
• d0163ab - feat(nsc): move part of Collect() to getMetricsServiceMap() <Richard Kojedzinszky>
• 4e8bb70 - feat(nsc): move metrics logic to separate file <Richard Kojedzinszky>
• a224198 - feat(nsc): optimize key in temporary serviceMap <Richard Kojedzinszky>
• 4ed0cf4 - feat(nsc): improve Service statistics <Richard Kojedzinszky>
• 1b4b6d6 - feat(nsc): eliminate nested loops in Collect() <Richard Kojedzinszky>
• 7666276 - feat(nsc): collect service statistics on demand <Richard Kojedzinszky>
• 4b4ebec - feat(nsc): prepare serviceMap to be accessed by collector thread <Richard Kojedzinszky>
• 5132015 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 4479fd2 - build(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 <dependabot[bot]>
• 3127ca8 - build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.37.1 to 1.38.3 <dependabot[bot]>
• bca8418 - build(deps): bump github.com/aws/smithy-go from 1.22.5 to 1.23.0 <dependabot[bot]>
• 5d31e35 - build(deps): bump google.golang.org/grpc from 1.74.2 to 1.75.0 <dependabot[bot]>
• 9b9402e - build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9 <dependabot[bot]>
• 90821a1 - build(deps): bump actions/checkout from 4 to 5 <dependabot[bot]>
• 9771000 - build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 <dependabot[bot]>
• 02fbecc - build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0 <dependabot[bot]>
• 5e397e5 - fix failed message <Anupam Ghosh>
• bbb8f3b - disable sloppy_tcp if there is no DSR & Maglev service <Anupam Ghosh>
• 98e38e9 - get and set with int8 for SysctlConfig <Anupam Ghosh>
• 598fc86 - enable sloppy_tcp when DSR and Maglev is enabled <Anupam Ghosh>
• 46d7d62 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• b7a3721 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• d9c4712 - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• cfb9119 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 0f4c577 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• c64aed5 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• 4f31e54 - build(deps): bump github.com/onsi/gomega from 1.37.0 to 1.38.0 <dependabot[bot]>
• 9bf90c7 - build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 <dependabot[bot]>
• 496ea3b - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 716b3de - build(deps): bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds <dependabot[bot]>
• 48e859b - build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 <dependabot[bot]>
• 7adddd4 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 569954a - build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0 <dependabot[bot]>
• b3f5082 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• bcaced7 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• e2f9681 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 7006205 - feat(DSR): disable routing DSR traffic via kube-bridge <Aaron U'Ren>
• 2ebcac6 - feat(linux_networking): add some additional logging <Aaron U'Ren>
• eb04cbe - fact(linux_tunnels): split SetupOverlayTunnel <Aaron U'Ren>
• 7a0fca3 - feat(linux_tunnels): convert to use netlink library <Aaron U'Ren>
• 8504c52 - fix(DSR): setup source routing for all external IPs <Aaron U'Ren>
• e6edc85 - fix(ipAddrDel): check to see if IP exists on interface before delete <Aaron U'Ren>
• 69e58ed - feat(NSC): add some additional debugging to traffic director <Aaron U'Ren>
• 94bfc0d - fix(ipAddrDel): check for routes before trying to delete <Aaron U'Ren>
• e29b6a3 - fix(NSC): pass fwmark to traffic director as an int <Aaron U'Ren>
• 3c89595 - fact(utils): factor out single subnet ip logic <Aaron U'Ren>
• b070531 - fix: add proper nil rule src handling <Aaron U'Ren>
• f2b0d78 - fact: add ip utils library & add unit testing <Aaron U'Ren>
• 4795a07 - fix(ip rule): use NewRule() for all rule creations <Aaron U'Ren>
• 5607605 - fix(linux_networking.go): add scope to local routes <Aaron U'Ren>
• 80328ac - fix(linux_networking.go): filter routes to be deleted by table <Aaron U'Ren>
• 2836065 - fix(linux_routing.go): choose first rt_tables file <Aaron U'Ren>
• f59a4f5 - feat: convert execs to ip to netlink calls <Aaron U'Ren>
• d7e14f7 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• e04d62b - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• 1f3f5b9 - pkg/cmd/kube-router: Have gocritic ignore if-else chain <qbnit0>
• 4b1c954 - Support in-cluster config with --master <qbnit0>
• 2eeab05 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
• 46280e0 - build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 <dependabot[bot]>
• ab0d686 - build(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 <dependabot[bot]>
• 36120e2 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
• b9d5cb5 - build(deps)...

v2.5.0

Summary

This update is mainly a dependency and docker image base update. For a long time, kube-router has been stalled on Alpine 3.18 because of a breaking change with the upstream iptables user space. However, this was fixed in iptables-1.8.11 which was released in November and then was integrated into Alpine 3.21 early this Month. See #1789 for more information.

This should make kube-router much more tolerant of iptables / nftables rules added by recent versions of the netfilter userspaces.

This release does contain a few prominent fixes since the last release of v2.4.1:

• ipset.Save() was introduced at the start of the NetworkPolicyController resolving a race condition between the NetworkPolicyController (--run-firewall) and the NetworkServiceController (--run-service-proxy). See #1806 (thanks @alexcriss for reporting this and being patient while we tried to reproduce)
• Internal cluster traffic is now properly excluded from NAT conditions which resolves a regression that was introduced in the v2.3 release line. See: #1778 (thanks @zerkms for reporting this)

Other major dependency updates:

• Bundled CNI plugins have been updated from v1.4.0 -> v1.6.2
• Go version has been updated from v1.22.3 -> v1.23.6

Contributions

Special thanks to @rbrtbnfgl and @dsseng for their contributions to this release!

Changelog

• 85e429e - doc(RELEASE.md): update release docs <Aaron U'Ren>
• b97e2bb - feat(Makefile): update CNI plugins v1.4.0 -> v1.6.2 <Aaron U'Ren>
• baad588 - feat(gomoq): update moq version v0.3.4 -> v0.5.1 <Aaron U'Ren>
• 5e9cc72 - feat(goreleaser): update goreleaser version and syntax <Aaron U'Ren>
• 16d1f6b - feat(Makefile): update golangci-lint 1.56.2->1.63.4 <Aaron U'Ren>
• d8430e2 - fix(lint): remove nolint for error messages <Aaron U'Ren>
• 760fcd5 - fix(lint): remove non-constant format string (govet) <Aaron U'Ren>
• 48b631c - fix(lint): remove unnecessary variable initializations (copyloopvar) <Aaron U'Ren>
• 858fdf6 - fix(lint): prevent against integer overflow errors <Aaron U'Ren>
• 5cdc417 - feat: update to go 1.22.3->1.23.6 and alpine 3.18->3.21 <Aaron U'Ren>
• d1982eb - Added ipset.Save at the start of syncNetworkPolicyChains <Roberto Bonafiglia>
• e6d7245 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 1dfd31b - build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 <dependabot[bot]>
• 4a2537b - build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4 <dependabot[bot]>
• 0a4ca09 - build(deps): bump github.com/aws/aws-sdk-go from 1.55.5 to 1.55.6 <dependabot[bot]>
• 0b7cc95 - build(deps): bump google.golang.org/protobuf from 1.36.2 to 1.36.3 <dependabot[bot]>
• bca3227 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 70fa746 - build(deps): bump google.golang.org/grpc from 1.69.2 to 1.69.4 <dependabot[bot]>
• aa7cffb - fix(NSC): only set rp_filter to 2 if it is 1 <Dmitry Sharshakov>
• b2e2ef8 - build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0 <dependabot[bot]>
• 60566a9 - build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2 <dependabot[bot]>
• c067b83 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• cb67bae - build(deps): bump github.com/onsi/gomega from 1.36.1 to 1.36.2 <dependabot[bot]>
• 93498fb - build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 <dependabot[bot]>
• 970c52d - build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 <dependabot[bot]>
• b7dc040 - build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0 <dependabot[bot]>
• 955bf54 - build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0 <dependabot[bot]>
• 44f95a6 - build(deps): bump github.com/onsi/gomega from 1.36.0 to 1.36.1 <dependabot[bot]>
• 7ebe51a - build(deps): bump google.golang.org/grpc from 1.67.1 to 1.69.0 <dependabot[bot]>
• 6ce2c6d - fix(NRC): find all node IPs for NAT exclusion <Aaron U'Ren>

v2.4.1

Summary

Fixes a bug that was introduced in kube-router v2.3.0 and beyond when some of the code was refactored: #1778

Primarily affects routing to host services when navigating an IPIP tunnel. Thanks to @zerkms for finding and reporting this bug.

Changelog

• 4dafd5c fix(NRC): find all node IPs for NAT exclusion