3.4.0

⛔️ WARNING: KNOWN ISSUE ⛔️

• Some types of ASG rules will cause apps to fail to start when dynamic ASGs are enabled. See more information here.

Release Highlights

• ✨ [New Feature] vxlan-policy-agent emits an app log when it updates security groups

Compatibility Notes

• Tested with cf-networking-release v3.4.0

✨ Built with golang 1.17.9

3.3.0

⛔️ WARNING: KNOWN ISSUE ⛔️

• Some types of ASG rules will cause apps to fail to start when dynamic ASGs are enabled. See more information here.

Release Highlights

• 🐛 [Bug Fix] Resolves an issue in silk-release 3.2.0 where netmon was unable to emit metrics

Compatibility Notes

• Tested with cf-networking-release v3.3.0

✨ Built with golang 1.17.8

3.2.0

⛔️ WARNING: KNOWN ISSUES ⛔️

• Some types of ASG rules will cause apps to fail to start when dynamic ASGs are enabled. See more information here.
• The netmon job is unable to gather/emit networking metrics in this version of silk-release.

Release Highlights

• 🐛 [Bug Fix] Resolves issues related to the vxlan-policy-agent's pre-start script failing on deployments with extremely large iptables rule counts, because it did not honor the silk-release iptables lock file (resolves the issues seen in 3.0.0 and 3.1.0)
• 🐛 [Bug Fix] Ensures dynamic ASG iptables chains are always cleaned up during bosh stop lifecycle events (resolves the issues seen in 3.0.0 and 3.1.0)
• 🐛 [Bug Fix] All silk components now use the same iptables binary for increased rule compatibility between components.

✨ Built with golang 1.17.8

Compatibility Notes

• Tested with cf-networking-release v3.2.0

3.1.0

⛔️ WARNING: KNOWN ISSUES ⛔️

Do NOT use this release with dynamic ASGs enabled, which they are by default.

• Lots of ASGs can cause the vxlan-policy-agent to fail in pre-start. This will cause all upgrades to fail. More details about this bug to come soon.
• Some types of ASG rules will cause apps to fail to start when dynamic ASGs are enabled. See more information here.

Release Highlights

• ✨ [New Feature] silk-cni now supports the outbound_connections.dry_run property to enable
  logging of outbound connection rate limiting events without actually denying traffic. Useful while
  tuning thresholds prior to actual implimentation. Thanks @sleepychild and @dezz6ato!

• 🐛 [Bug Fix] vxlan-policy-agent now properly handles ASG rules with ICMP type/code of -1
  when dynamic ASG updates are enabled.

• 🐛 [Bug Fix] vxlan-plicy-agent now cleans up netout--*-log chains after containers
  are deleted.

• 🐛 [Bug Fix] vxlan-plicy-agent now continues applying ASGs to all containers it can when errors
  are encountered applying rulesets. Previously, any errors encountered would halt updates for remaining
  containers

• 🐛 [Bug Fix] vxlan-plicy-agent cleans up newly created asg-* chains that encountered failures,
  and ensures the previous asg-* chain for a container remains intact.

• 🐛 [Bug Fix] vxlan-policy-agent now cleans up the remaining chains present after the last
  container has been stopped on a host.

• 🔒 [Security Fix] Built with golang 1.17.8 to address CVE-2022-23772 & CVE-2022-23806

Manifest Property Changes

Job	Property	2.43.0	3.0.0
silk-cni	dry_run	didn't exist	false

✨ Built with golang 1.17.8

Compatibility Notes

• Tested with cf-networking-release v3.1.0

3.0.0

⛔️ WARNING: KNOWN ISSUES ⛔️

Do NOT use this release with dynamic ASGs enabled, which they are by default.

• Lots of ASGs can cause the vxlan-policy-agent to fail in pre-start. This will cause all upgrades to fail. More details about this bug to come soon.
• Some types of ASG rules will cause apps to fail to start when dynamic ASGs are enabled. See more information here.

Release Highlights

• ✨ [New Feature] silk-release now supports dynamically updating ASG data for app containers without needing a restart!
  • vxlan-policy-agent periodically queries policy-server-internal to determine rules to apply to each container running on its cell, and updates iptables.
  • cni-plugin-wrapper calls a new endpoint on vxlan-policy-agent to ensure rules are updated as containers restart.
  • The traditional netout--<truncated-container-guid> iptables chains remain, but jump to a new asg-<hash><timestamp> chain that is replaced as changes are detected
  • When disabled, everything behaves as it did previously. 
 - To disable, set enable_asg_syncing to false on vxlan-policy-agent
• 🐛 [Bug Fix] silk-release components now use the same iptables version that is provided with garden-runc, to prevent issues from occurring when rules are incompatible across iptables versions.
• 🐛 [Bug Fix] The log-level parameter for vxlan-policy-agent is now propagated from bosh release to agent properly.

Compatibility Notes




garden-runc-release v1.20.0 is required for this and subsequent silk-releases.
Tested with silk-release v3.0.0

Manifest Property Changes

| --- | --- | --- | --- |
| vxlan-policy-agent | enable_asg_syncing | didn't exist | true |
| vxlan-policy-agent | asg_poll_interval_seconds | didn't exist | 60 |

✨ Built with golang 1.17.7

| Job | Property | 0.228.0 | 0.229.0 |

2.43.0

• Bump to golang 1.17!
• Tested with cf-networking-release v2.43.0
• [Breaking] Added template tests to validate IPs do not contain leading zeros per golang 1.17's new IP parsing standards

✨ Built with golang 1.17.6

2.42.0

• Tested with cf-networking-release v2.42.0

✨ Built with golang 1.16.10

2.41.0

• Tested with cf-networking-release v2.41.0

✨ Built with golang 1.16.9

2.40.0

Release Highlights

• Tested with cf-networking-release v2.40.0

✨ Built with golang 1.16.8

2.39.0

Release Highlights

• Adds a new experimental feature to rate limit outbound connections in containers (Thanks for the PR @IvanHristov98!)
• Go 1.16 has GO111Module on by default. This release converts silk-release to be compatible with those changes
• Updates silk to use the ANSI_QUOTES sql_mode when making connections to help with MySQL 8 compatibility
• Tested with cf-networking-release v2.38.0

Security Fixes

• Bumped golang to v1.16.8 to address CVE-2021-39293

✨ Built with golang 1.16.8