Update Helm release cilium to v1.17.1 (!2) · Merge requests · ops / Kubernetes CD / Talos Apartment

Robby Robo (bot) requested to merge renovate/cilium-1.x into main Jan 06, 2025

This MR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.16.2` -> `1.17.1`

Release Notes

cilium/cilium (cilium)

`v1.17.1`: 1.17.1

Compare Source

Summary of Changes

Minor Changes:

[v1.17] agent: Deprecate lb-only mode (#37391, @brb)
helm: Update CiliumNodeConfig version (Backport MR #37440, Upstream MR #37403, @sayboras)

Bugfixes:

ces: Fix bug where stale endpoint information was injected into IPCache (Backport MR #37416, Upstream MR #37347, @gandro)
socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport MR #37440, Upstream MR #37426, @alvaroaleman)

CI Changes:

test: Move the dind image to Quay to avoid rate-limiting (Backport MR #37440, Upstream MR #37388, @pchaigno)

Misc Changes:

chore(deps): update all github action dependencies (v1.17) (#37502, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#37342, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) (#37501, @cilium-renovate[bot])
chore(deps): update go to v1.23.6 (v1.17) (#37446, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#37409, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#37496, @cilium-renovate[bot])

Other Changes:

install: Update image digests for v1.17.0 (#37432, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866 quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.1@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.1@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71 quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71

hubble-relay

quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.1@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c

operator-aws

quay.io/cilium/operator-aws:v1.17.1@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6 quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6

operator-azure

quay.io/cilium/operator-azure:v1.17.1@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b

operator-generic

quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97 quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97

operator

quay.io/cilium/operator:v1.17.1@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89 quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89

`v1.17.0`: 1.17.0

Compare Source

We are excited to announce the Cilium 1.17.0 release!

A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! 🤩

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.17.0:

🚠 Networking

🚦 Quality of Service: Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#36025, @hemanthmalla)
🌐 Multi-Cluster Service API: Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#34439, @MrFreezeex)
🔀 Load Balance based on L4 Protocol: Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#33434, @jibi)
🧲 Per-Service LB Algorithms: Choose maglev or random load balancing algorithms for individual services (#35735, @kl52752)
⛔ Deny lists for Service source ranges: Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#36120, @borkmann)
🏊 Better control over IPAM: IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#34622, @antonipp; #34618, @juliusmh)
🔌 Dynamic MTU detection: Cilium respects changes made to MTU made at runtime without requiring agent restart (#34314, @dylandreimerink)

:guardswoman: Security

🚀 Improved network policy performance: The cost of computing complex combinations of network policies has been reduced (Various MRs by @joamaki, @jrajahalme, @marseel, @nathanjsweet, @squeed and @youngnick)
🗂️ Prioritize critical network policies: Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#34199, @Kaczyniec)
📋 Validate Network Policies: Receive better feedback from Kubernetes when creating network policies (#34585, @squeed; #35904, @renyunkang; #36598, @pippolo84)
🏷️ Select CIDRGroups by Label: Add labels to CIDRGroups and use these for network policy selection (#36087, @squeed)
🛎️ Extend ToServices for in-cluster services: Services with a selector can be selected with ToServices network policies statements (#34208, @chaunceyjiang)
🚧 FQDN Filtering for hostNetwork: Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#34024, @atykhyy)
📶 HTTP policies on port ranges: Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#36056, @jrajahalme)

🕸️ Service Mesh & Gateway API

⛩️ Gateway API 1.2.1: Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#34720, @sayboras)
📝 Static Gateway Addressing: Cilium now supports statically specifying addresses for gateways (#33042, @chaunceyjiang)
🔐 Improved Envoy TLS handling: Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#35513, @youngnick)

:artificial_satellite: Observability

🔍 Dynamic Hubble Metrics: Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#35185, @rectified95)
🛤️ Track enabled features using Prometheus: The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#35852, @aanm)
📊 Many new metrics: Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various MRs by @AwesomePatrol, @harsimran-pabla, @joestringer, @jshr-w, @mikejoh, @nimishamehta5, @odinuge, @ovidiutirla, @rectified95 and @sjdot)

🌅 Scale

📈 Better cluster connectivity checking: The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#35163, @jshr-w)
⏳ Rate-limit monitor events: Balance the number of eBPF events against the CPU usage required to process them (#29711, @siwiutki)
👥 Double-Write Identity mode: New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#31920, @antonipp)
⚖️ Better scale testing: This release benefits from regular automated scale testing for network policy (#35278, @marseel)

🏘️ Community

❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
- Seznam, Alibaba Cloud, SysEleven, QingCloud, ECCO, Reddit, Confluent, SamsungAds, and Sony
The Cilium Annual Report 2024 was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
The community gathered at Cilium + eBPF Day and the Cilium Developer Summit in Salt Lake City
Meet us at the upcoming CiliumCon and the Cilium Developer Summit in London

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ ❤️ ❤️

For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05 quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b

operator-aws

quay.io/cilium/operator-aws:v1.17.0@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7 quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7

operator-azure

quay.io/cilium/operator-azure:v1.17.0@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7 quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7

operator-generic

quay.io/cilium/operator-generic:v1.17.0@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8 quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8

operator

quay.io/cilium/operator:v1.17.0@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587 quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587

`v1.16.7`: 1.16.7

Compare Source

Summary of Changes

Minor Changes:

Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport MR #37124, Upstream MR #36598, @pippolo84)
doc: Added hostLegacyRouting limitation for Talos (Backport MR #37168, Upstream MR #36852, @PhilipSchmid)

Bugfixes:

agent: defend against null pointer refs in cecManager.getEndpoint() (Backport MR #37375, Upstream MR #37188, @aetimmes)
Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport MR #37278, Upstream MR #37123, @julianwiedmann)
ces: Fix bug where stale endpoint information was injected into IPCache (Backport MR #37417, Upstream MR #37347, @gandro)
envoy: add configurable access log buffer size (Backport MR #37168, Upstream MR #36823, @aetimmes)
Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport MR #37168, Upstream MR #36929, @julianwiedmann)
Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport MR #37278, Upstream MR #37085, @giorio94)
Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport MR #37168, Upstream MR #37086, @giorio94)
Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport MR #37168, Upstream MR #36103, @viktor-kurchenko)
maps/nat/stats: Use Start context when waiting for maps (Backport MR #37278, Upstream MR #37262, @tommyp1ckles)
nodeinit: move kubelet restart inside if/else in startup.bash (Backport MR #37375, Upstream MR #37282, @ayuspin)
Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport MR #37168, Upstream MR #36504, @viktor-kurchenko)
socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport MR #37441, Upstream MR #37426, @alvaroaleman)

CI Changes:

[v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#37380, @giorio94)
gh: harmonize lvh kernel naming scheme (Backport MR #37375, Upstream MR #37322, @julianwiedmann)
gh: update removed --loglevel option for kind (Backport MR #37168, Upstream MR #36935, @julianwiedmann)
gha: bump ubuntu version in conformance-externalworkloads (Backport MR #37168, Upstream MR #36859, @giorio94)
gha: correctly downgrade to patch release in ipsec workflows (Backport MR #37168, Upstream MR #36858, @giorio94)
gha: fix retrieval of DNS server in conformance external workloads (Backport MR #37375, Upstream MR #37361, @giorio94)
gha: Retrieve eks supported version via aws cli (Backport MR #37223, Upstream MR #37210, @sayboras)
Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport MR #37168, Upstream MR #36364, @smagnani96)
Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport MR #37168, Upstream MR #36962, @smagnani96)
test: Fix the flake for TestRestoredPort (Backport MR #37278, Upstream MR #37106, @sayboras)
test: Move demo-httpd from Docker to Quay (Backport MR #37278, Upstream MR #37149, @joestringer)
test: Move the dind image to Quay to avoid rate-limiting (Backport MR #37441, Upstream MR #37388, @pchaigno)

Misc Changes:

build: Remove debug leftover from Makefile (Backport MR #37168, Upstream MR #36917, @gentoo-root)
chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#37117, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#37244, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#37505, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#37343, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#37550, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#37338, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#37215, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#37503, @cilium-renovate[bot])
chore(deps): update go to v1.23.6 (v1.16) (#37497, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#37201, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.16) (patch) (#37411, @cilium-renovate[bot])
cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport MR #37375, Upstream MR #37326, @aanm)
clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport MR #37168, Upstream MR #36602, @joestringer)
doc(glossary): Geneve as final RFC (Backport MR #37375, Upstream MR #37316, @alagoutte)
doc: ebpf host-routing and netfilter (Backport MR #37168, Upstream MR #36921, @PhilipSchmid)
doc: eks cluster restriction removed (Backport MR #37278, Upstream MR #37043, @viktor-kurchenko)
doc: Removed nodeinit from aks byocni install (Backport MR #37168, Upstream MR #37048, @PhilipSchmid)
docs: Add SNI policy example (Backport MR #37375, Upstream MR #37234, @sayboras)
docs: Clarify Identity-Relevant Labels description (Backport MR #37168, Upstream MR #36924, @joestringer)
docs: Fix broken link in BGP control plane docs (Backport MR #37375, Upstream MR #37241, @mikejoh)
docs: pass current_version to html_context (Backport MR #37168, Upstream MR #37008, @ayuspin)
docs: Remove stale limitation on KPR+IPsec (Backport MR #37168, Upstream MR #37054, @pchaigno)
images: don't assume Dockerfile directory in builder/runtime update scripts (Backport MR #37375, Upstream MR #34488, @tklauser)
proxy: Mark restored port as configured (Backport MR #37168, Upstream MR #36953, @jrajahalme)
Remove outdated roadmap matrix and links to it (Backport MR #37278, Upstream MR #37170, @xmulligan)
remove stable tags from image build (#37394, @aanm)
renovate: add fix grpc-go autodetection (Backport MR #37278, Upstream MR #33570, @aanm)

Other Changes:

[v1.16] envoy: Bump envoy version to v1.31.x (#37157, @sayboras)
chore(deps): update go to v1.23.5 (v1.16) (#37189, @sayboras)
Do not leak ipcache entries when apiserver entities are cluster external (#36927, @antonipp)
install: Update image digests for v1.16.6 (#37154, @cilium-release-bot[bot])
Revert "chore(deps): update all-dependencies (v1.16)" (#37525, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.7@sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.7@sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.7@sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803

hubble-relay

quay.io/cilium/hubble-relay:v1.16.7@sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.7@sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8

operator-aws

quay.io/cilium/operator-aws:v1.16.7@sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba

operator-azure

quay.io/cilium/operator-azure:v1.16.7@sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69

operator-generic

quay.io/cilium/operator-generic:v1.16.7@sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0

operator

quay.io/cilium/operator:v1.16.7@sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d

`v1.16.6`: 1.16.6

Compare Source

Summary of Changes

Major Changes:

Add feature tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #35852, @aanm)
Add feature tracking in Cilium Operator as prometheus metrics (Backport MR #36263, Upstream MR #36077, @aanm)

Minor Changes:

envoy: Use yaml format for bootstrap config (Backport MR #36782, Upstream MR #36820, @sayboras)
Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#36561, @pippolo84)
service: Cap number of backends included in monitor message (Backport MR #36635, Upstream MR #36394, @joamaki)

Bugfixes:

cilium: LB source ranges fixes (Backport MR #36635, Upstream MR #36517, @borkmann)
eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport MR #36872, Upstream MR #36617, @sderoe)
envoy: Configure internal address config based on IP family (Backport MR #36782, Upstream MR #36733, @sayboras)
Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport MR #36635, Upstream MR #36176, @tamilmani1989)
metrics/features: remove reporting metrics' defaults by default (Backport MR #36263, Upstream MR #36298, @aanm)
pkg/redirectpolicy: Fix backend slices in processConfig (Backport MR #36872, Upstream MR #35496, @Sm0ckingBird)
ui: drop CORS headers from api response (Backport MR #36872, Upstream MR #35762, @geakstr)

CI Changes:

[v1.16] .github: Remove CI Fuzz workflow (#36641, @joestringer)
[v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#36620, @julianwiedmann)
[v1.16] gha: use /test to trigger tests in stable branches (#36673, @giorio94)
ci: fix job names for various ci workflows (Backport MR #36263, Upstream MR #36397, @marseel)
Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport MR #36872, Upstream MR #33398, @giorio94)
gh: e2e-upgrade: add coverage for 6.6 kernel (Backport MR #36988, Upstream MR #36626, @julianwiedmann)
gh: e2e-upgrade: de-renovate the config example (Backport MR #36635, Upstream MR #36463, @julianwiedmann)
gha: drop leftover token parameter in net-perf-gke workflow (#36684, @giorio94)
gha: fix merging of features-related artifacts (#36665, @giorio94)
gha: merge artifacts in net-perf-gke workflow (Backport MR #36263, Upstream MR #36236, @giorio94)
gha: Use ubuntu-24.04 for integration-test (Backport MR #36659, Upstream MR #36628, @sayboras)

Misc Changes:

.github/workflows: always install cilium-cli (Backport MR #36263, Upstream MR #36234, @aanm)
.github/workflows: do not fail ginkgo if unable to fetch features (Backport MR #36263, Upstream MR #36461, @aanm)
.github: fix conformance-k8s NP test (Backport MR #36263, Upstream MR #36355, @aanm)
[v1.16] Use bash syntax to consume env variable (#36636, @ferozsalam)
Add more features tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #36078, @aanm)
Add policy-related features tracking in Cilium agent as prometheus metrics (Backport MR #36263, Upstream MR #36203, @aanm)
Add the tls:// prefix in the Hubble TLS doc (Backport MR #36635, Upstream MR #36410, @liyihuang)
chore(deps): update all github action dependencies (v1.16) (#36612, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#36762, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#36950, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#37099, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (patch) (#36760, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36707, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36787, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36949, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#37033, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#36895, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#36609, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#36850, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#36610, @cilium-renovate[bot])
chore(deps): update go to v1.22.11 (v1.16) (#37045, @cilium-renovate[bot])
chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#36839, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.16) (patch) (#36611, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.16) (patch) (#36699, @cilium-renovate[bot])
doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport MR #36872, Upstream MR #36701, @alagoutte)
docs: Add missing default identity label in the description of identity-relevant labels' example (Backport MR #36635, Upstream MR #36558, @liyihuang)
docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport MR #36635, Upstream MR #36549, @verysonglaa)
Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport MR #36635, Upstream MR #36417, @EricMountain)
Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport MR #36872, Upstream MR #36788, @gentoo-root)
fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#36711, @cilium-renovate[bot])
ingress, gateway-api: Convert test fixtures to file based (Backport MR #36782, Upstream MR #36732, @sayboras)
metrics/features: enable ClusterMesh (Backport MR #36263, Upstream MR #36402, @aanm)
metrics/features: refactor metric names (Backport MR #36263, Upstream MR #36209, @aanm)
Prepare for release v1.16.6 (#36989, @cilium-release-bot[bot])
Remove reference to DNS polling (Backport MR #36872, Upstream MR #36679, @JacobHenner)

Other Changes:

[v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#36650, @ysksuzuki)
install: Update image digests for v1.16.5 (#36671, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66 quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9 quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46 quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

`v1.16.5`: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

hubble: Stop building 32-bit binaries (Backport MR #36066, Upstream MR #35974, @michi-covalent)

Bugfixes:

Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport MR #36540, Upstream MR #36484, @julianwiedmann)
bgp: fix race in bgp stores (Backport MR #36066, Upstream MR #35971, @harsimran-pabla)
BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport MR #36286, Upstream MR #36230, @rastislavs)
BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport MR #36286, Upstream MR #36165, @rastislavs)
Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport MR #36049, Upstream MR #35984, @jrajahalme)
Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport MR #36462, Upstream MR #36252, @bimmlerd)
cilium-health-ep controller is made to be more robust against successive failures. (Backport MR #36066, Upstream MR #35936, @jrajahalme)
DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport MR #36468, Upstream MR #36142, @jrajahalme)
Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport MR #36049, Upstream MR #36060, @jrajahalme)
Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport MR #35861, Upstream MR #35098, @jschwinger233)
Fix identity leak for kvstore identity mode (Backport MR #36066, Upstream MR #34893, @odinuge)
Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport MR #36302, Upstream MR #36292, @giorio94)
gateway-api: Fix gateway checks for namespace (Backport MR #36462, Upstream MR #35452, @sayboras)
gha: Remove hostLegacyRouting in clustermesh (Backport MR #36357, Upstream MR #35418, @sayboras)
helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport MR #36066, Upstream MR #36005, @devodev)
hubble: consistently use v as prefix for the Hubble version (Backport MR #36286, Upstream MR #35891, @rolinh)
iptables: Fix data race in iptables manager (Backport MR #36066, Upstream MR #35902, @pippolo84)
lrp: update LRP services with stale backends on agent restart (Backport MR #36106, Upstream MR #36036, @ysksuzuki)
policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#36050, @nathanjsweet)
Unbreak the cilium-dbg preflight migrate-identity command (Backport MR #36286, Upstream MR #36089, @giorio94)
Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport MR #36066, Upstream MR #35856, @nddq)

CI Changes:

[v1.16] ci: modularize chart CI push workflow (#35958, @ferozsalam)
gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport MR #36462, Upstream MR #36384, @julianwiedmann)
gha: configure environment in build-images-base/image-digests job (Backport MR #36462, Upstream MR #36318, @giorio94)
node_local_store: prevent racey tests while using mock node store. (Backport MR #36066, Upstream MR #35945, @tommyp1ckles)
Remove unnecessary hubble port-forward commands (Backport MR #36066, Upstream MR #33523, @michi-covalent)

Misc Changes:

[v1.16] docs: egress masquerade selector (#36333, @viktor-kurchenko)
[v1.16] images: bump cni plugins to v1.6.0 (#36092, @ferozsalam)
bugtool: dump tail-call map for bpf_wireguard (Backport MR #36286, Upstream MR #36183, @julianwiedmann)
chore(deps): update all github action dependencies (v1.16) (#36155, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#36275, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#36443, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (patch) (#36277, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#35546, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36152, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36279, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#36444, @cilium-renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#36153, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#36222, @cilium-renovate[bot])
chore(deps): update go to v1.22.10 (v1.16) (#36441, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#36180, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#36495, @cilium-renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#36278, @cilium-renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#36442, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.16) (patch) (#36154, @cilium-renovate[bot])
docs: Add the tls:// prefix before the IP address (Backport MR #36286, Upstream MR #36118, @liyihuang)
docs: Fix typo in multi-pool section title (Backport MR #36312, Upstream MR #36305, @joestringer)
docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport MR #36066, Upstream MR #35923, @yilas)
docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport MR #36066, Upstream MR #35921, @ysksuzuki)
docs: system-requirements: require 5.4 kernel (Backport MR #36462, Upstream MR #36386, @julianwiedmann)
docs: WireGuard doesn't require overlay port in Network Firewalls (Backport MR #36286, Upstream MR #36208, @julianwiedmann)
Endpoint populate new policymap early if empty (Backport MR #36479, Upstream MR #36361, @jrajahalme)
envoy: Configure internal_address_config to avoid warning log (Backport MR #36015, Upstream MR #35943, @sayboras)
envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport MR #36468, Upstream MR #36330, @jrajahalme)
fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#36530, @cilium-renovate[bot])
Fixed BGP documentation (Backport MR #36066, Upstream MR #35953, @seadog007)
images: Use cilium-builder image instead of golang to build hubble (Backport MR #36312, Upstream MR #35697, @learnitall)
lrp: fix kernel version requirement in warning log (Backport MR #36286, Upstream MR #36141, @ysksuzuki)
Makefile: fix swagger definition for automatic renovate updates (Backport MR #36066, Upstream MR #35979, @aanm)
proxy: Take proxy port reference for new redirects immediately (Backport MR #36468, Upstream MR #36435, @jrajahalme)
proxyports: Resolve data races in test (Backport MR #36468, Upstream MR #36399, @jrajahalme)
proxyports: Sleep a bit longer in tests (Backport MR #36468, Upstream MR #36389, @jrajahalme)
Remove duplicated watch on services and endpoint in the cilium-agent (Backport MR #36066, Upstream MR #35838, @MrFreezeex)
Rework error handling logic in neighbor discovery (Backport MR #36093, Upstream MR #35144, @pippolo84)
Silence spurious clustermesh-related warnings (Backport MR #36225, Upstream MR #35867, @giorio94)
Update documentation for egress masquerading behavior (Backport MR #36462, Upstream MR #36267, @liyihuang)

Other Changes:

[1.16] ci/ipsec-upgrade: increase cilium status wait duration (#36082, @harsimran-pabla)
[v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#36511, @borkmann)
install: Update image digests for v1.16.4 (#36047, @cilium-release-bot[bot])
jrajahalme/v1.16 cilium cli (#36541, @jrajahalme)
Revert "workflows/ipsec: Cover Ingress" (#36116, @harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958 quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768 quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00 quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0 quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476 quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9 quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039 quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940 quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

`v1.16.4`: 1.16.4

Compare Source

Security Advisories

This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport MR #35908, Upstream MR #35809, @jrajahalme)
clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport MR #35543, Upstream MR #35349, @giorio94)
helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport MR #35781, Upstream MR #35630, @chancez)
helm: New socketLB.tracing flag (Backport MR #35781, Upstream MR #35747, @pchaigno)
hubble-relay: Return underlying connection errors when connecting to peer manager (Backport MR #35781, Upstream MR #35632, @chancez)
netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport MR #35543, Upstream MR #35306, @jrife)

Bugfixes:

Avoid duplicate errors in health status for node-neighbor-link-updater (Backport MR #35468, Upstream MR #35179, @wedaly)
bgpv1: fix reconciliation of services with shared VIPs (Backport MR #35468, Upstream MR #35333, @rastislavs)
bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport MR #35863, Upstream MR #35690, @YutaroHayakawa)
bgpv2: set local peering address when specified (Backport MR #35781, Upstream MR #35552, @harsimran-pabla)
Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport MR #35603, Upstream MR #35150, @jrajahalme)
Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport MR #35781, Upstream MR #35589, @bimmlerd)
config: Remove superfluous warning on native routing CIDR (Backport MR #35781, Upstream MR #35738, @gandro)
Fix missing flowlabel hash on SRv6 traffic. (Backport MR #35781, Upstream MR #35498, @akaliwod)
Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport MR #35543, Upstream MR #35173, @smagnani96)
Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport MR #35781, Upstream MR #35673, @giorio94)
Fix redirect from L3 device to remote endpoint via overlay network. (Backport MR #35468, Upstream MR #35165, @julianwiedmann)
Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport MR #35908, Upstream MR #35694, @julianwiedmann)
Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport MR #35781, Upstream MR #35599, @squeed)
Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport MR #35543, Upstream MR #35293, @squeed)
Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport MR #35906, Upstream MR #35890, @squeed)
Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#35611, @pippolo84)
helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport MR #35319, Upstream MR #35301, @hox)
helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport MR #35781, Upstream MR #35703, @solidDoWant)
helm: set automountServiceAccountToken to false for hubble-relay sa (Backport MR #35781, Upstream MR #35674, @ayuspin)
hubble: fix endpoint cluster name (Backport MR #35781, Upstream MR #35415, @kaworu)
hubble: Lock exporters while gathering metrics (Backport MR #35908, Upstream MR #35860, @joestringer)
Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport MR #35781, Upstream MR #35143, @jrajahalme)
ipam: Validate CiliumNode resource in ENI mode (Backport MR #35792, Upstream MR #35784, @sayboras)
l7lb: fix registration of flag loadbalancer-l7 (Backport MR #35781, Upstream MR #35623, @mhofstetter)
Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport MR #35319, Upstream MR #35069, @chancez)
option: Reduce log level for WG strict mode + IPv6 (Backport MR #35908, Upstream MR #35763, @pchaigno)
Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport MR #35468, Upstream MR #35381, @jrajahalme)
treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport MR #35654, Upstream MR #35614, @gandro)
wireguard: Fix connectivity issues following node reboots. (Backport MR #35908, Upstream MR #35750, @jrife)

CI Changes:

.github/conformance-ginkgo: replace deprecated jq flag (Backport MR #35468, Upstream MR #35399, @aanm)
.github: extend timeout for tests-ipsec-upgrade workflow (Backport MR #35781, Upstream MR #35657, @rastislavs)
.github: remove libncurses5 from integration tests (Backport MR #35468, Upstream MR #35408, @aanm)
[v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#35329, @ysksuzuki)
[v1.16] github: update rhel8 LVH image to rhel8.6 (#35733, @julianwiedmann)
Additionally test KVStore mode in E2E/IPSec workflows (Backport MR #35905, Upstream MR #35679, @giorio94)
ci: conformance-kind: re-enable flaky Aggregator test (Backport MR #35582, Upstream MR #35286, @julianwiedmann)
ci: datapath-verifier: bump lvh images (Backport MR #35648, Upstream MR #35456, @julianwiedmann)
gha: Update chmod command (Backport MR #35468, Upstream MR #35400, @sayboras)
github: Pass the workflow step timeout to go test (Backport MR #35908, Upstream MR #35814, @jrajahalme)
Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport MR #35319, Upstream MR #35267, @aanm)
workflows/gateway-api: Cover IPsec with GatewayAPI (Backport MR #35908, Upstream MR #35584, @pchaigno)
workflows/ingress: Run basic checks (Backport MR #35908, Upstream MR #35683, @pchaigno)
workflows/ipsec: Cover Ingress (Backport MR #35908, Upstream MR #35476, @pchaigno)
workflows: Extend IPsec tests to cover egress gateway (Backport MR #35540, Upstream MR #35323, @pchaigno)

Misc Changes:

.github/build-images-base: checkout base branch to get scripts (Backport MR #35319, Upstream MR #35236, @aanm)
.github: remove retention days for image digests (Backport MR #35468, Upstream MR #35457, @aanm)
bpf: vxlan helper improvements (Backport MR #35543, Upstream MR #34755, @julianwiedmann)
chore(deps): update all github action dependencies (v1.16) (#35382, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#35439, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#35573, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#35710, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#35438, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#35730, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#35379, @cilium-renovate[bot])
chore(deps): update go to v1.22.9 (v1.16) (#35854, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#35491, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.16) (patch) (#35731, @cilium-renovate[bot])
cilium, docs: Extend requirements for L7 proxy (Backport MR #35781, Upstream MR #35669, @borkmann)
cilium: add probe for netkit for more user friendly error when not supported (Backport MR #35781, Upstream MR #35551, @borkmann)
ctrl-runtime: lower severity of retryable reconcile errors (Backport MR #35592, Upstream MR #35364, @giorio94)
daemon: Reduce level of socket LB tracing warning (Backport MR #35908, Upstream MR #35798, @pchaigno)
datapath: move policy map value prefix length to flags (Backport MR #35603, Upstream MR #35534, @jrajahalme)
dnsproxy: fix error when sessionUDPFactory fails (Backport MR #35543, Upstream MR #33998, @marseel)
docs/ipsec: Remove KPR limitation (Backport MR #35908, Upstream MR #35743, @pchaigno)
docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport MR #35781, Upstream MR #35626, @pchaigno)
docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport MR #35319, Upstream MR #35288, @oneumyvakin)
docs: clean up stale kernel requirements (Backport MR #35582, Upstream MR #35575, @julianwiedmann)
docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport MR #35781, Upstream MR #35725, @nvibert)
docs: kpr: update error message regarding SocketLB tracing (Backport MR #35468, Upstream MR #35337, @julianwiedmann)
docs: tuning: XDP LB also supports tunnel routing (Backport MR #35582, Upstream MR #35574, @julianwiedmann)
docs: update 1.16 upgrade note for LRP (#35944, @ysksuzuki)
docs: update default identity label filters (Backport MR #35468, Upstream MR #35422, @marseel)
docs: XFRM reference guide for IPsec development (Backport MR #35582, Upstream MR #35322, @pchaigno)
Envoy simplify listener setup (Backport MR #35764, Upstream MR #35642, @jrajahalme)
envoy: Configure internal_address_config to avoid warning log (Backport MR #35471, Upstream MR #35090, @sayboras)
envoy: Limit started serving logging to the typeURL of the stream (Backport MR #35781, Upstream MR #35736, @jrajahalme)
Fix wrongly spelled config option in error message (Backport MR #35543, Upstream MR #35390, @baurmatt)
helm: clarify text for serviceNoBackendResponse (Backport MR #35908, Upstream MR #35734, @julianwiedmann)
hubble: Add 'release' Make target (Backport MR #35781, Upstream MR #35561, @michi-covalent)
image: Use cilium-builder instead of golang as operator builder image (Backport MR #35781, Upstream MR #35351, @learnitall)
iptables: always warn about missing xt_socket module (Backport MR #35781, Upstream MR #35591, @julianwiedmann)
makefile: add target to install Cilium in kvstore mode (Backport MR #35905, Upstream MR #35646, @giorio94)
proxy: Ensure proxy ports are written on shutdown (Backport MR #35908, Upstream MR #35839, @jrajahalme)
Silence spurious clustermesh-related warnings (Backport MR #35850, Upstream MR #35867, @giorio94)

Other Changes:

[v1.16] envoy: Add configuration for OverloadManager (#35787, @sayboras)
[v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#35563, @sayboras)
[v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#35681, @gandro)
chore(deps): update cilium-envoy dependency (#35920, @sayboras)
install: Update image digests for v1.16.3 (#35361, @cilium-release-bot[bot])
Policy add deny rule test and benchmark (#35714, @jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2 quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2 quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686 quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5 quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

`v1.16.3`: 1.16.3

Compare Source

Summary of Changes

Bugfixes:

bgpv2: fix reconciliation of services with shared VIPs (Backport MR #35274, Upstream MR #35166, @rastislavs)
bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport MR #35036, Upstream MR #34976, @rastislavs)
bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport MR #35036, Upstream MR #34913, @ysksuzuki)
bugtool: fix cilium-health command (Backport MR #35274, Upstream MR #35068, @ayuspin)
Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport MR #35036, Upstream MR #34941, @bimmlerd)
Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport MR #35036, Upstream MR #34789, @tommyp1ckles)
Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport MR #34918, Upstream MR #34651, @smagnani96)
Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport MR #35036, Upstream MR #34783, @dylandreimerink)
Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport MR #35274, Upstream MR #35109, @jrajahalme)
Fixed bug where service id allocator would loop infinity when out of service ids (Backport MR #35274, Upstream MR #35033, @WeeNews)
Fixes startup fatal error when updating CiliumNode resource. (Backport MR #34918, Upstream MR #34862, @harsimran-pabla)
gateway-api: Align GRPCRoute matchers with GEP specification (Backport MR #35274, Upstream MR #34808, @cfsnyder)
helm template function no longer errors when using k8sServiceHost: auto (Backport MR #35274, Upstream MR #35186, @kreeuwijk)
hubble: add printer for lost events (Backport MR #35274, Upstream MR #35208, @aanm)
ipcache: Yet another refcounting fix with mix of APIs (Backport MR #35036, Upstream MR #34715, @gandro)
netkit: Allow ARP packets through when using host firewall. (Backport MR #35274, Upstream MR #35070, @jrife)
wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport MR #35115, Upstream MR #34612, @jrife)

CI Changes:

.github/lint-build-commits: fix workflow for push events (Backport MR #35274, Upstream MR #35264, @aanm)
.github: create cache directories on cache miss (Backport MR #35157, Upstream MR #35088, @aanm)
.github: do not push floating tag from MRs (Backport MR #35230, Upstream MR #35227, @aanm)
.github: install golang action after checkout (Backport MR #35157, Upstream MR #34843, @aanm)
.github: re-enable configurations in e2e-upgrade (Backport MR #35157, Upstream MR #34800, @aanm)
.github: specify cache-dependency-path in lint-workflows (Backport MR #35157, Upstream MR #34845, @aanm)
[1.16] test: Skip envoy internal_address_config warning log (#35053, @pippolo84)
[v1.16] gha: fix incorrect go version in lint-build-commits workflow (#35312, @giorio94)
ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport MR #34918, Upstream MR #34820, @aanm)
fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport MR #34918, Upstream MR #34902, @Artyop)
servicemesh, ci: run internal to NodePort test (Backport MR #35274, Upstream MR #35177, @marseel)

Misc Changes:

.github: add cache to cilium-cli and hubble-cli build workflows (Backport MR #35157, Upstream MR #34847, @aanm)
.github: clean up disk for lint-build workflow (Backport MR #35157, Upstream MR #35141, @aanm)
.github: fix build image process to commit changes (Backport MR #35274, Upstream MR #35262, @aanm)
.github: fix lvh-kind warnings (Backport MR #35157, Upstream MR #34811, @aanm)
.github: fix runtime image digests (Backport MR #35274, Upstream MR #35107, @aanm)
.github: push floating tag for push events for stable branches (#35235, @aanm)
[v1.16] .github: do not update github runners for bpf workflows (#35106, @aanm)
[v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (#35310, @julianwiedmann)
bgpv2/docs: add ebgp multihop documentation (Backport MR #35036, Upstream MR #34951, @harsimran-pabla)
bgpv2: cleanup service reconciliation logic (Backport MR #35036, Upstream MR #34959, @rastislavs)
Change GH runners to GH's default (Backport MR #35157, Upstream MR #33451, @aanm)
chore(deps): update all github action dependencies (v1.16) (#35025, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#35082, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#35250, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#35005, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#35283, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (#34999, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.16) (#35101, @cilium-renovate[bot])
chore(deps): update go to v1.22.8 (v1.16) (#35201, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (#35137, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (#35218, @cilium-renovate[bot])
cilium-cli: Show config.cilium.io annotations on configmap (Backport MR #35155, Upstream MR #35020, @joamaki)
docs: Add known issue for netkit endpoint route issues (Backport MR #35274, Upstream MR #35126, @jrife)
docs: fix EKS Kubernetes compatibility link (Backport MR #35036, Upstream MR #34922, @fjvela)
docs: Improve warning on insecure global IPsec keys (Backport MR #34918, Upstream MR #34846, @pchaigno)
docs: move sig-policy to second Tuesday of the month (Backport MR #35115, Upstream MR #35040, @squeed)
fix: Assign PodStore from Pod resource until cell migration is completed (Backport MR #35274, Upstream MR #34090, @dlapcevic)
helm: add client auth to hubble server certificate (Backport MR #35036, Upstream MR #34934, @kaworu)
helm: set key usages for hubble certificates with cert-manager (Backport MR #35036, Upstream MR #34946, @kaworu)
Improve speed on lint commits GH workflow (Backport MR #35157, Upstream MR #34848, @aanm)
install/kubernetes: fix Operator's clusterrole for pods deletion (Backport MR #35274, Upstream MR #35193, @aanm)
Re-write GitHub cache usages across workflows (Backport MR #35157, Upstream MR #34866, @aanm)
Remove conformance-e2e tests (Backport MR #35157, Upstream MR #34742, @aanm)

Other Changes:

[v1.16] Add missing test coverage in v1.16 branch (#35223, @aanm)
[v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (#35129, @ysksuzuki)
[v1.16] author backport: LRP fixes (#35072, @ysksuzuki)
[v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (#35160, @tklauser)
[v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#35151, @tklauser)
install: Update image digests for v1.16.2 (#35052, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28 quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.3@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb

docker-plugin

quay.io/cilium/docker-plugin:v1.16.3@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae

hubble-relay

quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089 quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.3@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898 quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898

operator-aws

quay.io/cilium/operator-aws:v1.16.3@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916 quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916

operator-azure

quay.io/cilium/operator-azure:v1.16.3@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542 quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542

operator-generic

quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b

operator

quay.io/cilium/operator:v1.16.3@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot. Tell Nogweii if it blows up.

Edited Feb 18, 2025 by Robby Robo (bot)

Update Helm release cilium to v1.17.1

Release Notes

v1.17.1: 1.17.1

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.17.0: 1.17.0

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.7: 1.16.7

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.6: 1.16.6

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.5: 1.16.5

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.4: 1.16.4

Security Advisories

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.3: 1.16.3

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

`v1.17.1`: 1.17.1

`v1.17.0`: 1.17.0

`v1.16.7`: 1.16.7

`v1.16.6`: 1.16.6

`v1.16.5`: 1.16.5

`v1.16.4`: 1.16.4

`v1.16.3`: 1.16.3