chore(deps): update kubezero-network-dependencies #46

Merged

stefan merged 1 commits from renovate/kubezero-network-kubezero-network-dependencies into main 2025-04-23 16:14:49 +00:00

Conversation 0 Commits 1 Files Changed 1 +3 -3

renovate commented 2025-02-05 03:07:33 +00:00

Member

Copy Link

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.16.6 -> 1.17.3
haproxy (source)	minor	1.23.0 -> 1.24.0

---

Release Notes

cilium/cilium (cilium)

v1.17.3: 1.17.3

Compare Source

Summary of Changes

Minor Changes:

• hubble: accurately report startup failure reason from cilium status (Backport PR #​38526, Upstream PR #​37567, @​devodev)
• Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #​38399, Upstream PR #​37936, @​smagnani96)

Bugfixes:

• Always detach BPF programs from cilium_wg0 when not needed. (Backport PR #​38184, Upstream PR #​38179, @​smagnani96)
• Avoid installing no-track rules when IP family is disabled (Backport PR #​38526, Upstream PR #​38438, @​ysksuzuki)
• bgpv2: Fix service reconciliation by BGP peer IP change (Backport PR #​38700, Upstream PR #​38620, @​rastislavs)
• bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #​38684, Upstream PR #​38592, @​julianwiedmann)
• clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport PR #​38298, Upstream PR #​38267, @​MrFreezeex)
• Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport PR #​38394, Upstream PR #​38335, @​gentoo-root)
• Fix deadlock in compilation lock (Backport PR #​38805, Upstream PR #​38784, @​dylandreimerink)
• Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #​38700, Upstream PR #​38656, @​aditighag)
• Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport PR #​38526, Upstream PR #​38472, @​liyihuang)
• Fix: cilium-operator no longer patches services on shutdown (Backport PR #​38298, Upstream PR #​37967, @​rsafonseca)
• Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport PR #​38700, Upstream PR #​38556, @​squeed)
• For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #​38800, Upstream PR #​38737, @​julianwiedmann)
• ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport PR #​38700, Upstream PR #​38555, @​mhofstetter)
• ipam/aws: properly paginate Operator DescribeNetworkInterfaces AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport PR #​38298, Upstream PR #​37983, @​antonipp)
• netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport PR #​38526, Upstream PR #​37812, @​jrife)

CI Changes:

• build: update golangci-lint to v2.0.0 (Backport PR #​38629, Upstream PR #​38473, @​mhofstetter)
• ci: build CI images within merge group (Backport PR #​38526, Upstream PR #​38065, @​marseel)
• ci: prepare CI Image build for being required (Backport PR #​38526, Upstream PR #​38320, @​marseel)
• cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport PR #​38527, Upstream PR #​38193, @​ysksuzuki)
• cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport PR #​37797, Upstream PR #​37294, @​ysksuzuki)
• Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38264, @​smagnani96)
• Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38290, @​smagnani96)
• Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38281, @​smagnani96)
• Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38265, @​smagnani96)
• Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38292, @​smagnani96)
• Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38291, @​smagnani96)
• gh: aws-cni: set --enable-identity-mark=false option (Backport PR #​38800, Upstream PR #​38738, @​julianwiedmann)
• gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport PR #​38527, Upstream PR #​38511, @​julianwiedmann)
• gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport PR #​38527, Upstream PR #​38554, @​giorio94)
• Ignore encrypt interface field when validating option.Config after initialization (Backport PR #​38298, Upstream PR #​37184, @​Artyop)
• Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38278, @​smagnani96)
• Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38293, @​smagnani96)
• Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38266, @​smagnani96)
• proxy/proxyports: fix flake and data race in TestPortAllocator (Backport PR #​38674, Upstream PR #​38062, @​tklauser)
• proxy: fix flake in TestPortAllocator test (Backport PR #​38674, Upstream PR #​38646, @​mhofstetter)
• Refactoring and code comments for the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38263, @​smagnani96)
• Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38297, @​smagnani96)
• Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38280, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38289, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38526, Upstream PR #​38289, @​smagnani96)
• Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38517, Upstream PR #​38287, @​smagnani96)
• Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #​38740, Upstream PR #​38268, @​smagnani96)
• test: Update FQDN related domain and IP (Backport PR #​38769, Upstream PR #​38754, @​sayboras)

Misc Changes:

• [v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint (#​38802, @​julianwiedmann)
• [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code (#​38594, @​julianwiedmann)
• [v1.17] deps: bump package x/oauth2 (#​38403, @​ferozsalam)
• [v1.17] deps: bump x/net to v0.38.0 (#​38780, @​ferozsalam)
• bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #​38684, Upstream PR #​37956, @​julianwiedmann)
• bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #​38684, Upstream PR #​38430, @​julianwiedmann)
• bpf: nodeport: preserve monitor aggregation in egress path (Backport PR #​38526, Upstream PR #​38312, @​julianwiedmann)
• bugtool: collect more detailed link statistics (Backport PR #​38526, Upstream PR #​38391, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.17) (#​38353, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​38436, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​38612, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38303, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38542, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) (#​38730, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) (#​38354, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) (#​38611, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 37f7b37 (v1.17) (#​38350, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.17) (#​38351, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) (#​38434, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) (#​38608, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.8 (v1.17) (#​38713, @​cilium-renovate[bot])
• chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) (#​38352, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.17) (#​38257, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.17) (#​38384, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742784301-90f2717e10fcd34f9aca97413fcd00ca2b8ccfee (v1.17) (#​38441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.17) (#​38671, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744108394-d3be7c547203cd80d0c4902e4b9deac09c727456 (v1.17) (#​38773, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38316, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38435, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38831, @​cilium-renovate[bot])
• cilium, status: Do not display annotations if KPR is disabled (Backport PR #​38700, Upstream PR #​38677, @​borkmann)
• doc(troubleshooting): add -verbose to cilium-health status (Backport PR #​38298, Upstream PR #​38169, @​alagoutte)
• doc: Envoy daemonset works on OpenShift (Backport PR #​38298, Upstream PR #​38236, @​fgiloux)
• docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #​38526, Upstream PR #​38173, @​yrsuthari)
• docs: add per-node default pool example (Backport PR #​38298, Upstream PR #​38135, @​acudovs)
• docs: clarify hubble flow filter match semantics (Backport PR #​38700, Upstream PR #​38657, @​devodev)
• docs: Correct the envoy circuit-breaking example manifest (Backport PR #​38298, Upstream PR #​38158, @​raphink)
• docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #​38526, Upstream PR #​38231, @​rastislavs)
• docs: Update LLVM requirements to 18.1 (Backport PR #​38526, Upstream PR #​38294, @​gentoo-root)
• Documentation: "cilium config set" restarts by default (Backport PR #​38298, Upstream PR #​38114, @​joamaki)
• Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #​38298, Upstream PR #​38276, @​tklauser)
• fix SBOM attestation documentation (Backport PR #​38526, Upstream PR #​38429, @​jaehanbyun)
• fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (Backport PR #​38298, Upstream PR #​38243, @​RiRa12621)
• images: bump distroless to static (Backport PR #​38694, Upstream PR #​38647, @​kaworu)
• ipcache: reduce labels map memory churn in resolveLabels a bit (Backport PR #​38526, Upstream PR #​38494, @​tklauser)
• maglev: Fix division by zero upon table recreation (Backport PR #​38700, Upstream PR #​38659, @​borkmann)
• pkg/controller: fix data race in update params locked (Backport PR #​38526, Upstream PR #​38327, @​aanm)
• pkg/endpoint: fix GetLabels data race access (Backport PR #​38526, Upstream PR #​38328, @​aanm)
• pkg/endpoint: fix race in unit test (Backport PR #​38298, Upstream PR #​38129, @​squeed)
• policy: sync policy map for fake endpoints (Backport PR #​38526, Upstream PR #​38367, @​harsimran-pabla)
• proxy: Fix data race in proxyports test (Backport PR #​38674, Upstream PR #​37890, @​jrajahalme)
• Removal logic for the new cil_from_wireguard program to handle Cilium Downgrades from v1.18. (#​38187, @​smagnani96)
• remove the endpointRoutes for aws cni in the doc (Backport PR #​38700, Upstream PR #​38381, @​liyihuang)
• wireguard: cleanup cilium_calls map upon downgrading from v1.18 (#​38595, @​smagnani96)

Other Changes:

• [v1.17] hubble/exporter: Fix logging exporter options as JSON (#​38476, @​devodev)
• [v1.17] proxy: Bump envoy version to 1.32.x (#​38306, @​sayboras)
• deps: Bump GoBGP to v3.35.0 (#​38405, @​rastislavs)
• fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#​38532, @​antonipp)
• Fix IPv6 for LocalRedirectPolicy with skipRedirectFromBackend option. (#​38509, @​julianwiedmann)
• install: Update image digests for v1.17.2 (#​38205, @​cilium-release-bot[bot])
• ipsec: backport minimal VinE support for upgrade scenarios (#​37993, @​ldelossa)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.3@​sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
quay.io/cilium/cilium:stable@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.3@​sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42
quay.io/cilium/clustermesh-apiserver:stable@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42

docker-plugin

quay.io/cilium/docker-plugin:v1.17.3@​sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9
quay.io/cilium/docker-plugin:stable@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9

hubble-relay

quay.io/cilium/hubble-relay:v1.17.3@​sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
quay.io/cilium/hubble-relay:stable@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.3@​sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c
quay.io/cilium/operator-alibabacloud:stable@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c

operator-aws

quay.io/cilium/operator-aws:v1.17.3@​sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f
quay.io/cilium/operator-aws:stable@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f

operator-azure

quay.io/cilium/operator-azure:v1.17.3@​sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713
quay.io/cilium/operator-azure:stable@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713

operator-generic

quay.io/cilium/operator-generic:v1.17.3@​sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
quay.io/cilium/operator-generic:stable@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597

operator

quay.io/cilium/operator:v1.17.3@​sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115
quay.io/cilium/operator:stable@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115

v1.17.2: 1.17.2

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #​38104, Upstream PR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport PR #​38104, Upstream PR #​37365, @​jaredledvina)
• New agent option --policy-restore-timeout (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to cilium-envoy proxy. (Backport PR #​37904, Upstream PR #​37658, @​jrajahalme)
• Set json output as default for cilium-dbg endpoint get (Backport PR #​37648, Upstream PR #​36537, @​saiaunghlyanhtet)
• Set json output as default for cilium-dbg endpoint get (Backport PR #​37742, Upstream PR #​36537, @​saiaunghlyanhtet)

Bugfixes:

• Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR #​37904, Upstream PR #​37674, @​julianwiedmann)
• Auth policy is properly maintained also when covered by proxy redirects. (Backport PR #​37904, Upstream PR #​37685, @​jrajahalme)
• Do not auto detect / auto select IPoIB devices (Backport PR #​37648, Upstream PR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport PR #​38118, Upstream PR #​37962, @​dylandreimerink)
• Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR #​37648, Upstream PR #​37587, @​devodev)
• Fix bug causing cilium-dbg bpf commands to fail with a map not found error in IPv6-only clusters. (Backport PR #​37904, Upstream PR #​37787, @​pchaigno)
• Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR #​37648, Upstream PR #​37474, @​dustinspecker)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #​37904, Upstream PR #​37419, @​javanthropus)
• Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR #​37648, Upstream PR #​36978, @​tommasopozzetti)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #​37904, Upstream PR #​37818, @​haozhangami)
• Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR #​37904, Upstream PR #​37543, @​rectified95)
• Fix service id exceeds max limit (Backport PR #​37648, Upstream PR #​37191, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport PR #​37648, Upstream PR #​37532, @​antonipp)
• Fix the possible race condition caused by async update from aws to instance map in issue #​36428 (Backport PR #​38104, Upstream PR #​37650, @​liyihuang)
• Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR #​37648, Upstream PR #​37450, @​liyihuang)
• fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR #​37742, Upstream PR #​37585, @​acelinkio)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport PR #​37648, Upstream PR #​37236, @​dee-kryvenko)
• fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR #​37742, Upstream PR #​37693, @​cmergenthaler)
• Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR #​37648, Upstream PR #​37536, @​nicl-dev)
• Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR #​37742, Upstream PR #​37656, @​kahirokunn)
• helm: fix large number handling (Backport PR #​37742, Upstream PR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport PR #​37648, Upstream PR #​37401, @​devodev)
• hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR #​38104, Upstream PR #​37923, @​marseel)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #​38104, Upstream PR #​36657, @​oblazek)
• ipam/multi-pool: Periodically perform pool maintenance (Backport PR #​38104, Upstream PR #​37895, @​gandro)
• operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR #​37742, Upstream PR #​37606, @​mhofstetter)
• operator: Fix duplicate configurations (Backport PR #​37648, Upstream PR #​37293, @​joestringer)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #​38104, Upstream PR #​38029, @​julianwiedmann)
• Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR #​38154, Upstream PR #​38143, @​youngnick)
• Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message iptables: Incompatible with this kernel to iptables -n -L CHAIN when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR #​38104, Upstream PR #​37749, @​fgiloux)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport PR #​37742, Upstream PR #​37681, @​joestringer)
• .github: s/enbaled/enabled/ (Backport PR #​37648, Upstream PR #​37449, @​chansuke)
• bgpv1: wait for watchers to be ready in tests (Backport PR #​37904, Upstream PR #​37884, @​harsimran-pabla)
• CI: GKE backslash missing disable insecure kubelet (Backport PR #​37904, Upstream PR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport PR #​37904, Upstream PR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport PR #​38104, Upstream PR #​38036, @​marseel)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #​37904, Upstream PR #​37551, @​jschwinger233)
• gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR #​37925, Upstream PR #​37891, @​julianwiedmann)
• gh: update naming for bpftrace leak detection script (Backport PR #​37904, Upstream PR #​37865, @​julianwiedmann)

Misc Changes:

• always render enable-hubble in the Cilium configmap (Backport PR #​37904, Upstream PR #​37703, @​kaworu)
• bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR #​38104, Upstream PR #​38037, @​borkmann)
• bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR #​37648, Upstream PR #​37379, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.17) (#​37950, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​37944, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38048, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#​37793, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#​37949, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#​38057, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.17) (#​37996, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#​37833, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#​38148, @​cilium-renovate[bot])
• cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR #​37742, Upstream PR #​37398, @​Mahdi-BZ)
• cilium: Allow to configure tunnel source port range (Backport PR #​37904, Upstream PR #​37777, @​borkmann)
• cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR #​37904, Upstream PR #​37808, @​borkmann)
• docs: complete load balancer service manifest in kubeproxy-free (Backport PR #​37648, Upstream PR #​37466, @​ybelleguic)
• docs: fix broken links (Backport PR #​38104, Upstream PR #​37995, @​nueavv)
• docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR #​37648, Upstream PR #​37604, @​julianwiedmann)
• docs: use latest for rtd theme commit with fixed version selector (Backport PR #​37614, Upstream PR #​37421, @​ayuspin)
• envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR #​37742, Upstream PR #​37683, @​marseel)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37648, Upstream PR #​36957, @​aanm)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37742, Upstream PR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport PR #​38104, Upstream PR #​37963, @​saintdle)
• fqdn/dnsproxy: use netip.Addr for DNSProxy.usedServers (Backport PR #​38104, Upstream PR #​37985, @​tklauser)
• gha: Update the helm flag for TLS related test (Backport PR #​37648, Upstream PR #​37428, @​sayboras)
• ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport PR #​38104, Upstream PR #​38021, @​christarazi)
• labels: fix TestNewFrom test (Backport PR #​37904, Upstream PR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #​37648, Upstream PR #​37399, @​ritwikranjan)
• operator: Explicitly init the FQDN regex LRU cache (Backport PR #​37648, Upstream PR #​37366, @​christarazi)
• pkg/hive: always use default logger when decorating cells (Backport PR #​37742, Upstream PR #​37636, @​aanm)
• policy: Skip iteration when proxy port priority is zero (Backport PR #​37648, Upstream PR #​37422, @​jrajahalme)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #​37904, Upstream PR #​37806, @​rolinh)
• Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See v0.13.2 for more details (Backport PR #​37742, Upstream PR #​37631, @​yannikmesserli)
• use runtime image set by env var action in build and lint (Backport PR #​37648, Upstream PR #​37253, @​Artyop)

Other Changes:

• [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (#​38101, @​julianwiedmann)
• Backport set runtime action 1.17 (#​37854, @​Artyop)
• gha: Update GatewayAPI conformance report (#​37671, @​sayboras)
• install: Update image digests for v1.17.1 (#​37580, @​cilium-release-bot[bot])
• v1.17: gh/workflows: Remove conformance-externalworkloads (#​37738, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.2@​sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.2@​sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398

docker-plugin

quay.io/cilium/docker-plugin:v1.17.2@​sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c

hubble-relay

quay.io/cilium/hubble-relay:v1.17.2@​sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.2@​sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe

operator-aws

quay.io/cilium/operator-aws:v1.17.2@​sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c

operator-azure

quay.io/cilium/operator-azure:v1.17.2@​sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0

operator-generic

quay.io/cilium/operator-generic:v1.17.2@​sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249

operator

quay.io/cilium/operator:v1.17.2@​sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419
quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419

v1.17.1: 1.17.1

Compare Source

Summary of Changes

Minor Changes:

• [v1.17] agent: Deprecate lb-only mode (#​37391, @​brb)
• helm: Update CiliumNodeConfig version (Backport PR #​37440, Upstream PR #​37403, @​sayboras)

Bugfixes:

• ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #​37416, Upstream PR #​37347, @​gandro)
• socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #​37440, Upstream PR #​37426, @​alvaroaleman)

CI Changes:

• test: Move the dind image to Quay to avoid rate-limiting (Backport PR #​37440, Upstream PR #​37388, @​pchaigno)

Misc Changes:

• chore(deps): update all github action dependencies (v1.17) (#​37502, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​37342, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) (#​37501, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.6 (v1.17) (#​37446, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​37409, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​37496, @​cilium-renovate[bot])

Other Changes:

• install: Update image digests for v1.17.0 (#​37432, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.1@​sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.1@​sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c
quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.1@​sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71
quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71

hubble-relay

quay.io/cilium/hubble-relay:v1.17.1@​sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.1@​sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c
quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c

operator-aws

quay.io/cilium/operator-aws:v1.17.1@​sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6
quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6

operator-azure

quay.io/cilium/operator-azure:v1.17.1@​sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b
quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b

operator-generic

quay.io/cilium/operator-generic:v1.17.1@​sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97

operator

quay.io/cilium/operator:v1.17.1@​sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89
quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89

v1.17.0: 1.17.0

Compare Source

We are excited to announce the Cilium 1.17.0 release!

A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! 🤩

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.17.0:

🚠 Networking

• 🚦 Quality of Service: Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#​36025, @​hemanthmalla)
• 🌐 Multi-Cluster Service API: Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#​34439, @​MrFreezeex)
• 🔀 Load Balance based on L4 Protocol: Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#​33434, @​jibi)
• 🧲 Per-Service LB Algorithms: Choose maglev or random load balancing algorithms for individual services (#​35735, @​kl52752)
• ⛔ Deny lists for Service source ranges: Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#​36120, @​borkmann)
• 🏊 Better control over IPAM: IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#​34622, @​antonipp; #​34618, @​juliusmh)
• 🔌 Dynamic MTU detection: Cilium respects changes made to MTU made at runtime without requiring agent restart (#​34314, @​dylandreimerink)

💂‍♀️ Security

• 🚀 Improved network policy performance: The cost of computing complex combinations of network policies has been reduced (Various PRs by @​joamaki, @​jrajahalme, @​marseel, @​nathanjsweet, @​squeed and @​youngnick)
• 🗂️ Prioritize critical network policies: Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#​34199, @​Kaczyniec)
• 📋 Validate Network Policies: Receive better feedback from Kubernetes when creating network policies (#​34585, @​squeed; #​35904, @​renyunkang; #​36598, @​pippolo84)
• 🏷️ Select CIDRGroups by Label: Add labels to CIDRGroups and use these for network policy selection (#​36087, @​squeed)
• 🛎️ Extend ToServices for in-cluster services: Services with a selector can be selected with ToServices network policies statements (#​34208, @​chaunceyjiang)
• 🚧 FQDN Filtering for hostNetwork: Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#​34024, @​atykhyy)
• 📶 HTTP policies on port ranges: Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#​36056, @​jrajahalme)

🕸️ Service Mesh & Gateway API

• ⛩️ Gateway API 1.2.1: Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#​34720, @​sayboras)
• 📝 Static Gateway Addressing: Cilium now supports statically specifying addresses for gateways (#​33042, @​chaunceyjiang)
• 🔐 Improved Envoy TLS handling: Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#​35513, @​youngnick)

🛰️ Observability

• 🔍 Dynamic Hubble Metrics: Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#​35185, @​rectified95)
• 🛤️ Track enabled features using Prometheus: The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#​35852, @​aanm)
• 📊 Many new metrics: Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various PRs by @​AwesomePatrol, @​harsimran-pabla, @​joestringer, @​jshr-w, @​mikejoh, @​nimishamehta5, @​odinuge, @​ovidiutirla, @​rectified95 and @​sjdot)

🌅 Scale

• 📈 Better cluster connectivity checking: The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#​35163, @​jshr-w)
• ⏳ Rate-limit monitor events: Balance the number of eBPF events against the CPU usage required to process them (#​29711, @​siwiutki)
• 👥 Double-Write Identity mode: New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#​31920, @​antonipp)
• ⚖️ Better scale testing: This release benefits from regular automated scale testing for network policy (#​35278, @​marseel)

🏘️ Community

• ❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • Seznam, Alibaba Cloud, SysEleven, QingCloud, ECCO, Reddit, Confluent, SamsungAds, and Sony
• The Cilium Annual Report 2024 was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
• The community gathered at Cilium + eBPF Day and the Cilium Developer Summit in Salt Lake City
• Meet us at the upcoming CiliumCon and the Cilium Developer Summit in London

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ ❤️ ❤️

For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0@​sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0@​sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c
quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0@​sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f
quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0@​sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0@​sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b
quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b

operator-aws

quay.io/cilium/operator-aws:v1.17.0@​sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7
quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7

operator-azure

quay.io/cilium/operator-azure:v1.17.0@​sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7
quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7

operator-generic

quay.io/cilium/operator-generic:v1.17.0@​sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8

operator

quay.io/cilium/operator:v1.17.0@​sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587
quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587

v1.16.9: 1.16.9

Compare Source

Summary of Changes

Minor Changes:

• Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #​38400, Upstream PR #​37936, @​smagnani96)
• Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #​38747, Upstream PR #​35900, @​smagnani96)

Bugfixes:

• bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #​38747, Upstream PR #​38592, @​julianwiedmann)
• Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #​38701, Upstream PR #​38656, @​aditighag)
• For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #​38747, Upstream PR #​38737, @​julianwiedmann)

CI Changes:

• build: update golangci-lint to v2.0.0 (Backport PR #​38631, Upstream PR #​38473, @​mhofstetter)
• ci: build CI images within merge group (Backport PR #​38525, Upstream PR #​38065, @​marseel)
• ci: prepare CI Image build for being required (Backport PR #​38525, Upstream PR #​38320, @​marseel)
• Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38264, @​smagnani96)
• Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38290, @​smagnani96)
• Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38281, @​smagnani96)
• Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38265, @​smagnani96)
• Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38292, @​smagnani96)
• Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38291, @​smagnani96)
• gh: aws-cni: set --enable-identity-mark=false option (Backport PR #​38747, Upstream PR #​38738, @​julianwiedmann)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #​38521, Upstream PR #​37551, @​jschwinger233)
• gh: update naming for bpftrace leak detection script (Backport PR #​38521, Upstream PR #​37865, @​julianwiedmann)
• Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38278, @​smagnani96)
• Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38293, @​smagnani96)
• Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38266, @​smagnani96)
• Refactoring and code comments for the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38263, @​smagnani96)
• Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38297, @​smagnani96)
• Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38280, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38289, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38525, Upstream PR #​38289, @​smagnani96)
• Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38287, @​smagnani96)
• Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38268, @​smagnani96)
• test: Update FQDN related domain and IP (Backport PR #​38770, Upstream PR #​38754, @​sayboras)

Misc Changes:

• [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#​38496, @​ferozsalam)
• [v1.16] deps: Bump package x/net (#​38323, @​ferozsalam)
• [v1.16] deps: bump package x/oauth2 (#​38404, @​ferozsalam)
• [v1.16]: deps: bump x/net to v0.38.0 (#​38781, @​ferozsalam)
• bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #​38747, Upstream PR #​37956, @​julianwiedmann)
• bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #​38747, Upstream PR #​38430, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​38347, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​38515, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​38346, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38442, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38543, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#​38731, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#​38348, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#​38714, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.16) (#​38344, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#​38613, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.8 (v1.16) (#​38345, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#​38258, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#​38385, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#​38672, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#​38774, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38317, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38614, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38832, @​cilium-renovate[bot])
• docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #​38525, Upstream PR #​38173, @​yrsuthari)
• docs: clarify hubble flow filter match semantics (Backport PR #​38701, Upstream PR #​38657, @​devodev)
• docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #​38525, Upstream PR #​38231, @​rastislavs)
• docs: Update LLVM requirements to 18.1 (Backport PR #​38342, Upstream PR #​38294, @​gentoo-root)
• Documentation: "cilium config set" restarts by default (Backport PR #​38299, Upstream PR #​38114, @​joamaki)
• Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #​38299, Upstream PR #​38276, @​tklauser)
• images: bump distroless to static (Backport PR #​38695, Upstream PR #​38647, @​kaworu)
• pkg/controller: fix data race in update params locked (Backport PR #​38525, Upstream PR #​38327, @​aanm)
• pkg/endpoint: fix race in unit test (Backport PR #​38299, Upstream PR #​38129, @​squeed)
• remove the endpointRoutes for aws cni in the doc (Backport PR #​38701, Upstream PR #​38381, @​liyihuang)

Other Changes:

• [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#​38794, @​devodev)
• [v1.16] proxy: Bump envoy version to 1.32.x (#​38307, @​sayboras)
• fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#​38533, @​antonipp)
• gha: Skip HTTPRouteServiceTypes test (#​38343, @​sayboras)
• install: Update image digests for v1.16.8 (#​38207, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.9@​sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.9@​sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066

docker-plugin

quay.io/cilium/docker-plugin:v1.16.9@​sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28

hubble-relay

quay.io/cilium/hubble-relay:v1.16.9@​sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.9@​sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134

operator-aws

quay.io/cilium/operator-aws:v1.16.9@​sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948

operator-azure

quay.io/cilium/operator-azure:v1.16.9@​sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea

operator-generic

quay.io/cilium/operator-generic:v1.16.9@​sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7

operator

quay.io/cilium/operator:v1.16.9@​sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee

v1.16.8: 1.16.8

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #​38106, Upstream PR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport PR #​38014, Upstream PR #​37365, @​jaredledvina)

Bugfixes:

• Do not auto detect / auto select IPoIB devices (Backport PR #​37647, Upstream PR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport PR #​38120, Upstream PR #​37962, @​dylandreimerink)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #​37900, Upstream PR #​37419, @​javanthropus)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #​37900, Upstream PR #​37818, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport PR #​37647, Upstream PR #​37532, @​antonipp)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport PR #​37647, Upstream PR #​37236, @​dee-kryvenko)
• Fix: cilium-operator no longer patches services on shutdown (Backport PR #​38106, Upstream PR #​37967, @​rsafonseca)
• helm: fix large number handling (Backport PR #​37743, Upstream PR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport PR #​37647, Upstream PR #​37401, @​devodev)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #​38014, Upstream PR #​36657, @​oblazek)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #​38106, Upstream PR #​38029, @​julianwiedmann)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport PR #​37743, Upstream PR #​37681, @​joestringer)
• bgpv1: wait for watchers to be ready in tests (Backport PR #​38014, Upstream PR #​37884, @​harsimran-pabla)
• ci: add leak detection to conformance-ipsec-upgrade (Backport PR #​36575, Upstream PR #​36377, @​smagnani96)
• CI: GKE backslash missing disable insecure kubelet (Backport PR #​37900, Upstream PR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport PR #​37900, Upstream PR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport PR #​38106, Upstream PR #​38036, @​marseel)
• Cleanups after LLVM upgrade. (Backport PR #​37801, Upstream PR #​32067, @​gentoo-root)

Misc Changes:

• [v1.16] docs: Update requirements.txt dependencies (#​37616, @​joestringer)
• allocator: correctly propagate context to RunGC call (Backport PR #​37743, Upstream PR #​36034, @​giorio94)
• chore(deps): update all github action dependencies (v1.16) (#​37952, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37997, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38049, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (#​37951, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.16) (#​37998, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (#​37834, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (#​38149, @​cilium-renovate[bot])
• docs: fix broken links (Backport PR #​38106, Upstream PR #​37995, @​nueavv)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37647, Upstream PR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport PR #​38014, Upstream PR #​37963, @​saintdle)
• labels: fix TestNewFrom test (Backport PR #​37900, Upstream PR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #​37647, Upstream PR #​37399, @​ritwikranjan)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #​37900, Upstream PR #​37806, @​rolinh)
• wireguard: attach Ingress program for native routing mode configurations (Backport PR #​38117, Upstream PR #​37108, @​julianwiedmann)

Other Changes:

• [v1.16] images: update cilium-{runtime,builder} (#​38054, @​julianwiedmann)
• install: Update image digests for v1.16.7 (#​37709, @​cilium-release-bot[bot])
• v1.16: gh/workflows: Remove conformance-externalworkloads (#​37739, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.8@​sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.8@​sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea

docker-plugin

quay.io/cilium/docker-plugin:v1.16.8@​sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.8@​sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.8@​sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252

operator-aws

quay.io/cilium/operator-aws:v1.16.8@​sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b

operator-azure

quay.io/cilium/operator-azure:v1.16.8@​sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04

operator-generic

quay.io/cilium/operator-generic:v1.16.8@​sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d

operator

quay.io/cilium/operator:v1.16.8@​sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220

v1.16.7: 1.16.7

Compare Source

Summary of Changes

Minor Changes:

• Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR #​37124, Upstream PR #​36598, @​pippolo84)
• doc: Added hostLegacyRouting limitation for Talos (Backport PR #​37168, Upstream PR #​36852, @​PhilipSchmid)

Bugfixes:

• agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR #​37375, Upstream PR #​37188, @​aetimmes)
• Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR #​37278, Upstream PR #​37123, @​julianwiedmann)
• ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #​37417, Upstream PR #​37347, @​gandro)
• envoy: add configurable access log buffer size (Backport PR #​37168, Upstream PR #​36823, @​aetimmes)
• Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR #​37168, Upstream PR #​36929, @​julianwiedmann)
• Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR #​37278, Upstream PR #​37085, @​giorio94)
• Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR #​37168, Upstream PR #​37086, @​giorio94)
• Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR #​37168, Upstream PR #​36103, @​viktor-kurchenko)
• maps/nat/stats: Use Start context when waiting for maps (Backport PR #​37278, Upstream PR #​37262, @​tommyp1ckles)
• nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR #​37375, Upstream PR #​37282, @​ayuspin)
• Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR #​37168, Upstream PR #​36504, @​viktor-kurchenko)
• socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #​37441, Upstream PR #​37426, @​alvaroaleman)

CI Changes:

• [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#​37380, @​giorio94)
• gh: harmonize lvh kernel naming scheme (Backport PR #​37375, Upstream PR #​37322, @​julianwiedmann)
• gh: update removed --loglevel option for kind (Backport PR #​37168, Upstream PR #​36935, @​julianwiedmann)
• gha: bump ubuntu version in conformance-externalworkloads (Backport PR #​37168, Upstream PR #​36859, @​giorio94)
• gha: correctly downgrade to patch release in ipsec workflows (Backport PR #​37168, Upstream PR #​36858, @​giorio94)
• gha: fix retrieval of DNS server in conformance external workloads (Backport PR #​37375, Upstream PR #​37361, @​giorio94)
• gha: Retrieve eks supported version via aws cli (Backport PR #​37223, Upstream PR #​37210, @​sayboras)
• Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR #​37168, Upstream PR #​36364, @​smagnani96)
• Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR #​37168, Upstream PR #​36962, @​smagnani96)
• test: Fix the flake for TestRestoredPort (Backport PR #​37278, Upstream PR #​37106, @​sayboras)
• test: Move demo-httpd from Docker to Quay (Backport PR #​37278, Upstream PR #​37149, @​joestringer)
• test: Move the dind image to Quay to avoid rate-limiting (Backport PR #​37441, Upstream PR #​37388, @​pchaigno)

Misc Changes:

• build: Remove debug leftover from Makefile (Backport PR #​37168, Upstream PR #​36917, @​gentoo-root)
• chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#​37117, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37244, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37505, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37343, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37550, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#​37338, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#​37215, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#​37503, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.6 (v1.16) (#​37497, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#​37201, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​37411, @​cilium-renovate[bot])
• cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR #​37375, Upstream PR #​37326, @​aanm)
• clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR #​37168, Upstream PR #​36602, @​joestringer)
• doc(glossary): Geneve as final RFC (Backport PR #​37375, Upstream PR #​37316, @​alagoutte)
• doc: ebpf host-routing and netfilter (Backport PR #​37168, Upstream PR #​36921, @​PhilipSchmid)
• doc: eks cluster restriction removed (Backport PR #​37278, Upstream PR #​37043, @​viktor-kurchenko)
• doc: Removed nodeinit from aks byocni install (Backport PR #​37168, Upstream PR #​37048, @​PhilipSchmid)
• docs: Add SNI policy example (Backport PR #​37375, Upstream PR #​37234, @​sayboras)
• docs: Clarify Identity-Relevant Labels description (Backport PR #​37168, Upstream PR #​36924, @​joestringer)
• docs: Fix broken link in BGP control plane docs (Backport PR #​37375, Upstream PR #​37241, @​mikejoh)
• docs: pass current_version to html_context (Backport PR #​37168, Upstream PR #​37008, @​ayuspin)
• docs: Remove stale limitation on KPR+IPsec (Backport PR #​37168, Upstream PR #​37054, @​pchaigno)
• images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR #​37375, Upstream PR #​34488, @​tklauser)
• proxy: Mark restored port as configured (Backport PR #​37168, Upstream PR #​36953, @​jrajahalme)
• Remove outdated roadmap matrix and links to it (Backport PR #​37278, Upstream PR #​37170, @​xmulligan)
• remove stable tags from image build (#​37394, @​aanm)
• renovate: add fix grpc-go autodetection (Backport PR #​37278, Upstream PR #​33570, @​aanm)

Other Changes:

• [v1.16] envoy: Bump envoy version to v1.31.x (#​37157, @​sayboras)
• chore(deps): update go to v1.23.5 (v1.16) (#​37189, @​sayboras)
• Do not leak ipcache entries when apiserver entities are cluster external (#​36927, @​antonipp)
• install: Update image digests for v1.16.6 (#​37154, @​cilium-release-bot[bot])
• Revert "chore(deps): update all-dependencies (v1.16)" (#​37525, @​sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.7@​sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.7@​sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.7@​sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803

hubble-relay

quay.io/cilium/hubble-relay:v1.16.7@​sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.7@​sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8

operator-aws

quay.io/cilium/operator-aws:v1.16.7@​sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba

operator-azure

quay.io/cilium/operator-azure:v1.16.7@​sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69

operator-generic

quay.io/cilium/operator-generic:v1.16.7@​sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0

operator

quay.io/cilium/operator:v1.16.7@​sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d

haproxytech/helm-charts (haproxy)

v1.24.0

Compare Source

A Helm chart for HAProxy on Kubernetes

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.16.6` -> `1.17.3` | | [haproxy](https://github.com/haproxytech/helm-charts/tree/main/haproxy) ([source](https://github.com/haproxytech/helm-charts)) | minor | `1.23.0` -> `1.24.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.17.3`](https://github.com/cilium/cilium/releases/tag/v1.17.3): 1.17.3 [Compare Source](https://github.com/cilium/cilium/compare/1.17.2...1.17.3) ## Summary of Changes **Minor Changes:** - hubble: accurately report startup failure reason from cilium status (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;37567](https://github.com/cilium/cilium/issues/37567), [@&#8203;devodev](https://github.com/devodev)) - Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR [#&#8203;38399](https://github.com/cilium/cilium/issues/38399), Upstream PR [#&#8203;37936](https://github.com/cilium/cilium/issues/37936), [@&#8203;smagnani96](https://github.com/smagnani96)) **Bugfixes:** - Always detach BPF programs from cilium_wg0 when not needed. (Backport PR [#&#8203;38184](https://github.com/cilium/cilium/issues/38184), Upstream PR [#&#8203;38179](https://github.com/cilium/cilium/issues/38179), [@&#8203;smagnani96](https://github.com/smagnani96)) - Avoid installing no-track rules when IP family is disabled (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38438](https://github.com/cilium/cilium/issues/38438), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - bgpv2: Fix service reconciliation by BGP peer IP change (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38620](https://github.com/cilium/cilium/issues/38620), [@&#8203;rastislavs](https://github.com/rastislavs)) - bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR [#&#8203;38684](https://github.com/cilium/cilium/issues/38684), Upstream PR [#&#8203;38592](https://github.com/cilium/cilium/issues/38592), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38267](https://github.com/cilium/cilium/issues/38267), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport PR [#&#8203;38394](https://github.com/cilium/cilium/issues/38394), Upstream PR [#&#8203;38335](https://github.com/cilium/cilium/issues/38335), [@&#8203;gentoo-root](https://github.com/gentoo-root)) - Fix deadlock in compilation lock (Backport PR [#&#8203;38805](https://github.com/cilium/cilium/issues/38805), Upstream PR [#&#8203;38784](https://github.com/cilium/cilium/issues/38784), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Fix panic caused in dual cluster setups where LRPs with `skipRedirectFromBackend` flag set to true are installed and IPv6 is disabled. (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38656](https://github.com/cilium/cilium/issues/38656), [@&#8203;aditighag](https://github.com/aditighag)) - Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38472](https://github.com/cilium/cilium/issues/38472), [@&#8203;liyihuang](https://github.com/liyihuang)) - Fix: cilium-operator no longer patches services on shutdown (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;37967](https://github.com/cilium/cilium/issues/37967), [@&#8203;rsafonseca](https://github.com/rsafonseca)) - Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38556](https://github.com/cilium/cilium/issues/38556), [@&#8203;squeed](https://github.com/squeed)) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR [#&#8203;38800](https://github.com/cilium/cilium/issues/38800), Upstream PR [#&#8203;38737](https://github.com/cilium/cilium/issues/38737), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38555](https://github.com/cilium/cilium/issues/38555), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - ipam/aws: properly paginate Operator `DescribeNetworkInterfaces` AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;37983](https://github.com/cilium/cilium/issues/37983), [@&#8203;antonipp](https://github.com/antonipp)) - netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;37812](https://github.com/cilium/cilium/issues/37812), [@&#8203;jrife](https://github.com/jrife)) **CI Changes:** - build: update golangci-lint to v2.0.0 (Backport PR [#&#8203;38629](https://github.com/cilium/cilium/issues/38629), Upstream PR [#&#8203;38473](https://github.com/cilium/cilium/issues/38473), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - ci: build CI images within merge group (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38065](https://github.com/cilium/cilium/issues/38065), [@&#8203;marseel](https://github.com/marseel)) - ci: prepare CI Image build for being required (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38320](https://github.com/cilium/cilium/issues/38320), [@&#8203;marseel](https://github.com/marseel)) - cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport PR [#&#8203;38527](https://github.com/cilium/cilium/issues/38527), Upstream PR [#&#8203;38193](https://github.com/cilium/cilium/issues/38193), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport PR [#&#8203;37797](https://github.com/cilium/cilium/issues/37797), Upstream PR [#&#8203;37294](https://github.com/cilium/cilium/issues/37294), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38264](https://github.com/cilium/cilium/issues/38264), [@&#8203;smagnani96](https://github.com/smagnani96)) - Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38290](https://github.com/cilium/cilium/issues/38290), [@&#8203;smagnani96](https://github.com/smagnani96)) - Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38281](https://github.com/cilium/cilium/issues/38281), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38265](https://github.com/cilium/cilium/issues/38265), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38292](https://github.com/cilium/cilium/issues/38292), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38291](https://github.com/cilium/cilium/issues/38291), [@&#8203;smagnani96](https://github.com/smagnani96)) - gh: aws-cni: set --enable-identity-mark=false option (Backport PR [#&#8203;38800](https://github.com/cilium/cilium/issues/38800), Upstream PR [#&#8203;38738](https://github.com/cilium/cilium/issues/38738), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport PR [#&#8203;38527](https://github.com/cilium/cilium/issues/38527), Upstream PR [#&#8203;38511](https://github.com/cilium/cilium/issues/38511), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport PR [#&#8203;38527](https://github.com/cilium/cilium/issues/38527), Upstream PR [#&#8203;38554](https://github.com/cilium/cilium/issues/38554), [@&#8203;giorio94](https://github.com/giorio94)) - Ignore encrypt interface field when validating option.Config after initialization (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;37184](https://github.com/cilium/cilium/issues/37184), [@&#8203;Artyop](https://github.com/Artyop)) - Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38278](https://github.com/cilium/cilium/issues/38278), [@&#8203;smagnani96](https://github.com/smagnani96)) - Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38293](https://github.com/cilium/cilium/issues/38293), [@&#8203;smagnani96](https://github.com/smagnani96)) - Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38266](https://github.com/cilium/cilium/issues/38266), [@&#8203;smagnani96](https://github.com/smagnani96)) - proxy/proxyports: fix flake and data race in TestPortAllocator (Backport PR [#&#8203;38674](https://github.com/cilium/cilium/issues/38674), Upstream PR [#&#8203;38062](https://github.com/cilium/cilium/issues/38062), [@&#8203;tklauser](https://github.com/tklauser)) - proxy: fix flake in TestPortAllocator test (Backport PR [#&#8203;38674](https://github.com/cilium/cilium/issues/38674), Upstream PR [#&#8203;38646](https://github.com/cilium/cilium/issues/38646), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - Refactoring and code comments for the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38263](https://github.com/cilium/cilium/issues/38263), [@&#8203;smagnani96](https://github.com/smagnani96)) - Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38297](https://github.com/cilium/cilium/issues/38297), [@&#8203;smagnani96](https://github.com/smagnani96)) - Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38280](https://github.com/cilium/cilium/issues/38280), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38289](https://github.com/cilium/cilium/issues/38289), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38289](https://github.com/cilium/cilium/issues/38289), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38517](https://github.com/cilium/cilium/issues/38517), Upstream PR [#&#8203;38287](https://github.com/cilium/cilium/issues/38287), [@&#8203;smagnani96](https://github.com/smagnani96)) - Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR [#&#8203;38740](https://github.com/cilium/cilium/issues/38740), Upstream PR [#&#8203;38268](https://github.com/cilium/cilium/issues/38268), [@&#8203;smagnani96](https://github.com/smagnani96)) - test: Update FQDN related domain and IP (Backport PR [#&#8203;38769](https://github.com/cilium/cilium/issues/38769), Upstream PR [#&#8203;38754](https://github.com/cilium/cilium/issues/38754), [@&#8203;sayboras](https://github.com/sayboras)) **Misc Changes:** - \[v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint ([#&#8203;38802](https://github.com/cilium/cilium/issues/38802), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - \[v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code ([#&#8203;38594](https://github.com/cilium/cilium/issues/38594), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - \[v1.17] deps: bump package x/oauth2 ([#&#8203;38403](https://github.com/cilium/cilium/issues/38403), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - \[v1.17] deps: bump x/net to v0.38.0 ([#&#8203;38780](https://github.com/cilium/cilium/issues/38780), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR [#&#8203;38684](https://github.com/cilium/cilium/issues/38684), Upstream PR [#&#8203;37956](https://github.com/cilium/cilium/issues/37956), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR [#&#8203;38684](https://github.com/cilium/cilium/issues/38684), Upstream PR [#&#8203;38430](https://github.com/cilium/cilium/issues/38430), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: preserve monitor aggregation in egress path (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38312](https://github.com/cilium/cilium/issues/38312), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - bugtool: collect more detailed link statistics (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38391](https://github.com/cilium/cilium/issues/38391), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.17) ([#&#8203;38353](https://github.com/cilium/cilium/issues/38353), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.17) ([#&#8203;38436](https://github.com/cilium/cilium/issues/38436), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.17) ([#&#8203;38612](https://github.com/cilium/cilium/issues/38612), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.17) ([#&#8203;38303](https://github.com/cilium/cilium/issues/38303), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.17) ([#&#8203;38542](https://github.com/cilium/cilium/issues/38542), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) ([#&#8203;38730](https://github.com/cilium/cilium/issues/38730), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) ([#&#8203;38354](https://github.com/cilium/cilium/issues/38354), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) ([#&#8203;38611](https://github.com/cilium/cilium/issues/38611), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`37f7b37`](https://github.com/cilium/cilium/commit/37f7b37) (v1.17) ([#&#8203;38350](https://github.com/cilium/cilium/issues/38350), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.7 docker digest to [`cb45cf7`](https://github.com/cilium/cilium/commit/cb45cf7) (v1.17) ([#&#8203;38351](https://github.com/cilium/cilium/issues/38351), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) ([#&#8203;38434](https://github.com/cilium/cilium/issues/38434), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) ([#&#8203;38608](https://github.com/cilium/cilium/issues/38608), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.8 (v1.17) ([#&#8203;38713](https://github.com/cilium/cilium/issues/38713), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) ([#&#8203;38352](https://github.com/cilium/cilium/issues/38352), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.17) ([#&#8203;38257](https://github.com/cilium/cilium/issues/38257), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.17) ([#&#8203;38384](https://github.com/cilium/cilium/issues/38384), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742784301-90f2717e10fcd34f9aca97413fcd00ca2b8ccfee (v1.17) ([#&#8203;38441](https://github.com/cilium/cilium/issues/38441), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.17) ([#&#8203;38671](https://github.com/cilium/cilium/issues/38671), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744108394-d3be7c547203cd80d0c4902e4b9deac09c727456 (v1.17) ([#&#8203;38773](https://github.com/cilium/cilium/issues/38773), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.17) (patch) ([#&#8203;38316](https://github.com/cilium/cilium/issues/38316), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.17) (patch) ([#&#8203;38435](https://github.com/cilium/cilium/issues/38435), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.17) (patch) ([#&#8203;38831](https://github.com/cilium/cilium/issues/38831), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - cilium, status: Do not display annotations if KPR is disabled (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38677](https://github.com/cilium/cilium/issues/38677), [@&#8203;borkmann](https://github.com/borkmann)) - doc(troubleshooting): add -verbose to cilium-health status (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38169](https://github.com/cilium/cilium/issues/38169), [@&#8203;alagoutte](https://github.com/alagoutte)) - doc: Envoy daemonset works on OpenShift (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38236](https://github.com/cilium/cilium/issues/38236), [@&#8203;fgiloux](https://github.com/fgiloux)) - docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38173](https://github.com/cilium/cilium/issues/38173), [@&#8203;yrsuthari](https://github.com/yrsuthari)) - docs: add per-node default pool example (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38135](https://github.com/cilium/cilium/issues/38135), [@&#8203;acudovs](https://github.com/acudovs)) - docs: clarify hubble flow filter match semantics (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38657](https://github.com/cilium/cilium/issues/38657), [@&#8203;devodev](https://github.com/devodev)) - docs: Correct the envoy circuit-breaking example manifest (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38158](https://github.com/cilium/cilium/issues/38158), [@&#8203;raphink](https://github.com/raphink)) - docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38231](https://github.com/cilium/cilium/issues/38231), [@&#8203;rastislavs](https://github.com/rastislavs)) - docs: Update LLVM requirements to 18.1 (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38294](https://github.com/cilium/cilium/issues/38294), [@&#8203;gentoo-root](https://github.com/gentoo-root)) - Documentation: "cilium config set" restarts by default (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38114](https://github.com/cilium/cilium/issues/38114), [@&#8203;joamaki](https://github.com/joamaki)) - Documentation: fix mentions of per-node `cilium-dbg` tool (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38276](https://github.com/cilium/cilium/issues/38276), [@&#8203;tklauser](https://github.com/tklauser)) - fix SBOM attestation documentation (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38429](https://github.com/cilium/cilium/issues/38429), [@&#8203;jaehanbyun](https://github.com/jaehanbyun)) - fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38243](https://github.com/cilium/cilium/issues/38243), [@&#8203;RiRa12621](https://github.com/RiRa12621)) - images: bump distroless to static (Backport PR [#&#8203;38694](https://github.com/cilium/cilium/issues/38694), Upstream PR [#&#8203;38647](https://github.com/cilium/cilium/issues/38647), [@&#8203;kaworu](https://github.com/kaworu)) - ipcache: reduce labels map memory churn in resolveLabels a bit (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38494](https://github.com/cilium/cilium/issues/38494), [@&#8203;tklauser](https://github.com/tklauser)) - maglev: Fix division by zero upon table recreation (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38659](https://github.com/cilium/cilium/issues/38659), [@&#8203;borkmann](https://github.com/borkmann)) - pkg/controller: fix data race in update params locked (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38327](https://github.com/cilium/cilium/issues/38327), [@&#8203;aanm](https://github.com/aanm)) - pkg/endpoint: fix GetLabels data race access (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38328](https://github.com/cilium/cilium/issues/38328), [@&#8203;aanm](https://github.com/aanm)) - pkg/endpoint: fix race in unit test (Backport PR [#&#8203;38298](https://github.com/cilium/cilium/issues/38298), Upstream PR [#&#8203;38129](https://github.com/cilium/cilium/issues/38129), [@&#8203;squeed](https://github.com/squeed)) - policy: sync policy map for fake endpoints (Backport PR [#&#8203;38526](https://github.com/cilium/cilium/issues/38526), Upstream PR [#&#8203;38367](https://github.com/cilium/cilium/issues/38367), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - proxy: Fix data race in proxyports test (Backport PR [#&#8203;38674](https://github.com/cilium/cilium/issues/38674), Upstream PR [#&#8203;37890](https://github.com/cilium/cilium/issues/37890), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Removal logic for the new cil_from_wireguard program to handle Cilium Downgrades from v1.18. ([#&#8203;38187](https://github.com/cilium/cilium/issues/38187), [@&#8203;smagnani96](https://github.com/smagnani96)) - remove the endpointRoutes for aws cni in the doc (Backport PR [#&#8203;38700](https://github.com/cilium/cilium/issues/38700), Upstream PR [#&#8203;38381](https://github.com/cilium/cilium/issues/38381), [@&#8203;liyihuang](https://github.com/liyihuang)) - wireguard: cleanup cilium_calls map upon downgrading from v1.18 ([#&#8203;38595](https://github.com/cilium/cilium/issues/38595), [@&#8203;smagnani96](https://github.com/smagnani96)) **Other Changes:** - \[v1.17] hubble/exporter: Fix logging exporter options as JSON ([#&#8203;38476](https://github.com/cilium/cilium/issues/38476), [@&#8203;devodev](https://github.com/devodev)) - \[v1.17] proxy: Bump envoy version to 1.32.x ([#&#8203;38306](https://github.com/cilium/cilium/issues/38306), [@&#8203;sayboras](https://github.com/sayboras)) - deps: Bump GoBGP to v3.35.0 ([#&#8203;38405](https://github.com/cilium/cilium/issues/38405), [@&#8203;rastislavs](https://github.com/rastislavs)) - fix AWS ENI IPAM mode performance regression in the Operator when `--update-ec2-adapter-limit-via-api` is set to `true` ([#&#8203;38532](https://github.com/cilium/cilium/issues/38532), [@&#8203;antonipp](https://github.com/antonipp)) - Fix IPv6 for LocalRedirectPolicy with `skipRedirectFromBackend` option. ([#&#8203;38509](https://github.com/cilium/cilium/issues/38509), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.17.2 ([#&#8203;38205](https://github.com/cilium/cilium/issues/38205), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - ipsec: backport minimal VinE support for upgrade scenarios ([#&#8203;37993](https://github.com/cilium/cilium/issues/37993), [@&#8203;ldelossa](https://github.com/ldelossa)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.17.3@&#8203;sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873` `quay.io/cilium/cilium:stable@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.17.3@&#8203;sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42` `quay.io/cilium/clustermesh-apiserver:stable@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.17.3@&#8203;sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9` `quay.io/cilium/docker-plugin:stable@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.17.3@&#8203;sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55` `quay.io/cilium/hubble-relay:stable@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.17.3@&#8203;sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c` `quay.io/cilium/operator-alibabacloud:stable@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c` ##### operator-aws `quay.io/cilium/operator-aws:v1.17.3@&#8203;sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f` `quay.io/cilium/operator-aws:stable@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f` ##### operator-azure `quay.io/cilium/operator-azure:v1.17.3@&#8203;sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713` `quay.io/cilium/operator-azure:stable@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713` ##### operator-generic `quay.io/cilium/operator-generic:v1.17.3@&#8203;sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597` `quay.io/cilium/operator-generic:stable@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597` ##### operator `quay.io/cilium/operator:v1.17.3@&#8203;sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115` `quay.io/cilium/operator:stable@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115` ### [`v1.17.2`](https://github.com/cilium/cilium/releases/tag/v1.17.2): 1.17.2 [Compare Source](https://github.com/cilium/cilium/compare/1.17.1...1.17.2) ## Summary of Changes **Minor Changes:** - docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37989](https://github.com/cilium/cilium/issues/37989), [@&#8203;oblazek](https://github.com/oblazek)) - Increase granularity of the `api_duration_seconds` metric buckets (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37365](https://github.com/cilium/cilium/issues/37365), [@&#8203;jaredledvina](https://github.com/jaredledvina)) - New agent option `--policy-restore-timeout` (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to `cilium-envoy` proxy. (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37658](https://github.com/cilium/cilium/issues/37658), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Set json output as default for `cilium-dbg endpoint get` (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;36537](https://github.com/cilium/cilium/issues/36537), [@&#8203;saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - Set json output as default for `cilium-dbg endpoint get` (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;36537](https://github.com/cilium/cilium/issues/36537), [@&#8203;saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) **Bugfixes:** - Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37674](https://github.com/cilium/cilium/issues/37674), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Auth policy is properly maintained also when covered by proxy redirects. (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37685](https://github.com/cilium/cilium/issues/37685), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Do not auto detect / auto select IPoIB devices (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37553](https://github.com/cilium/cilium/issues/37553), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Egress route reconciliation (Backport PR [#&#8203;38118](https://github.com/cilium/cilium/issues/38118), Upstream PR [#&#8203;37962](https://github.com/cilium/cilium/issues/37962), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37587](https://github.com/cilium/cilium/issues/37587), [@&#8203;devodev](https://github.com/devodev)) - Fix bug causing `cilium-dbg bpf` commands to fail with a map not found error in IPv6-only clusters. (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37787](https://github.com/cilium/cilium/issues/37787), [@&#8203;pchaigno](https://github.com/pchaigno)) - Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37474](https://github.com/cilium/cilium/issues/37474), [@&#8203;dustinspecker](https://github.com/dustinspecker)) - Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37419](https://github.com/cilium/cilium/issues/37419), [@&#8203;javanthropus](https://github.com/javanthropus)) - Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;36978](https://github.com/cilium/cilium/issues/36978), [@&#8203;tommasopozzetti](https://github.com/tommasopozzetti)) - Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37818](https://github.com/cilium/cilium/issues/37818), [@&#8203;haozhangami](https://github.com/haozhangami)) - Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37543](https://github.com/cilium/cilium/issues/37543), [@&#8203;rectified95](https://github.com/rectified95)) - Fix service id exceeds max limit (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37191](https://github.com/cilium/cilium/issues/37191), [@&#8203;haozhangami](https://github.com/haozhangami)) - Fix the `--dns-policy-unload-on-shutdown` feature for restored endpoints (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37532](https://github.com/cilium/cilium/issues/37532), [@&#8203;antonipp](https://github.com/antonipp)) - Fix the possible race condition caused by async update from aws to instance map in issue [#&#8203;36428](https://github.com/cilium/cilium/issues/36428) (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37650](https://github.com/cilium/cilium/issues/37650), [@&#8203;liyihuang](https://github.com/liyihuang)) - Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37450](https://github.com/cilium/cilium/issues/37450), [@&#8203;liyihuang](https://github.com/liyihuang)) - fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37585](https://github.com/cilium/cilium/issues/37585), [@&#8203;acelinkio](https://github.com/acelinkio)) - fix: cilium-config configmap was incorrectly resulting in values like `2.09715…2e+06` instead of `2097152` (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37236](https://github.com/cilium/cilium/issues/37236), [@&#8203;dee-kryvenko](https://github.com/dee-kryvenko)) - fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37693](https://github.com/cilium/cilium/issues/37693), [@&#8203;cmergenthaler](https://github.com/cmergenthaler)) - Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37536](https://github.com/cilium/cilium/issues/37536), [@&#8203;nicl-dev](https://github.com/nicl-dev)) - Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37656](https://github.com/cilium/cilium/issues/37656), [@&#8203;kahirokunn](https://github.com/kahirokunn)) - helm: fix large number handling (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37670](https://github.com/cilium/cilium/issues/37670), [@&#8203;justin0u0](https://github.com/justin0u0)) - hubble: escape terminal special characters from observe output (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37401](https://github.com/cilium/cilium/issues/37401), [@&#8203;devodev](https://github.com/devodev)) - hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37923](https://github.com/cilium/cilium/issues/37923), [@&#8203;marseel](https://github.com/marseel)) - identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;36657](https://github.com/cilium/cilium/issues/36657), [@&#8203;oblazek](https://github.com/oblazek)) - ipam/multi-pool: Periodically perform pool maintenance (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37895](https://github.com/cilium/cilium/issues/37895), [@&#8203;gandro](https://github.com/gandro)) - operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37606](https://github.com/cilium/cilium/issues/37606), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - operator: Fix duplicate configurations (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37293](https://github.com/cilium/cilium/issues/37293), [@&#8203;joestringer](https://github.com/joestringer)) - Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;38029](https://github.com/cilium/cilium/issues/38029), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR [#&#8203;38154](https://github.com/cilium/cilium/issues/38154), Upstream PR [#&#8203;38143](https://github.com/cilium/cilium/issues/38143), [@&#8203;youngnick](https://github.com/youngnick)) - Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message `iptables: Incompatible with this kernel` to `iptables -n -L CHAIN` when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37749](https://github.com/cilium/cilium/issues/37749), [@&#8203;fgiloux](https://github.com/fgiloux)) **CI Changes:** - .github: Remove misleading step from ipsec workflow (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37681](https://github.com/cilium/cilium/issues/37681), [@&#8203;joestringer](https://github.com/joestringer)) - .github: s/enbaled/enabled/ (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37449](https://github.com/cilium/cilium/issues/37449), [@&#8203;chansuke](https://github.com/chansuke)) - bgpv1: wait for watchers to be ready in tests (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37884](https://github.com/cilium/cilium/issues/37884), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - CI: GKE backslash missing disable insecure kubelet (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37850](https://github.com/cilium/cilium/issues/37850), [@&#8203;auriaave](https://github.com/auriaave)) - CI: GKE, disable insecure kubelet readonly port (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37844](https://github.com/cilium/cilium/issues/37844), [@&#8203;auriaave](https://github.com/auriaave)) - ci: switch to monitor aggregation medium (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;38036](https://github.com/cilium/cilium/issues/38036), [@&#8203;marseel](https://github.com/marseel)) - gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37551](https://github.com/cilium/cilium/issues/37551), [@&#8203;jschwinger233](https://github.com/jschwinger233)) - gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR [#&#8203;37925](https://github.com/cilium/cilium/issues/37925), Upstream PR [#&#8203;37891](https://github.com/cilium/cilium/issues/37891), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: update naming for bpftrace leak detection script (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37865](https://github.com/cilium/cilium/issues/37865), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **Misc Changes:** - always render enable-hubble in the Cilium configmap (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37703](https://github.com/cilium/cilium/issues/37703), [@&#8203;kaworu](https://github.com/kaworu)) - bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;38037](https://github.com/cilium/cilium/issues/38037), [@&#8203;borkmann](https://github.com/borkmann)) - bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37379](https://github.com/cilium/cilium/issues/37379), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.17) ([#&#8203;37950](https://github.com/cilium/cilium/issues/37950), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.17) ([#&#8203;37944](https://github.com/cilium/cilium/issues/37944), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.17) ([#&#8203;38048](https://github.com/cilium/cilium/issues/38048), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) ([#&#8203;37793](https://github.com/cilium/cilium/issues/37793), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) ([#&#8203;37949](https://github.com/cilium/cilium/issues/37949), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) ([#&#8203;38057](https://github.com/cilium/cilium/issues/38057), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.7 (v1.17) ([#&#8203;37996](https://github.com/cilium/cilium/issues/37996), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 \[security] (v1.17) ([#&#8203;37833](https://github.com/cilium/cilium/issues/37833), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) ([#&#8203;38148](https://github.com/cilium/cilium/issues/38148), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37398](https://github.com/cilium/cilium/issues/37398), [@&#8203;Mahdi-BZ](https://github.com/Mahdi-BZ)) - cilium: Allow to configure tunnel source port range (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37777](https://github.com/cilium/cilium/issues/37777), [@&#8203;borkmann](https://github.com/borkmann)) - cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37808](https://github.com/cilium/cilium/issues/37808), [@&#8203;borkmann](https://github.com/borkmann)) - docs: complete load balancer service manifest in kubeproxy-free (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37466](https://github.com/cilium/cilium/issues/37466), [@&#8203;ybelleguic](https://github.com/ybelleguic)) - docs: fix broken links (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37995](https://github.com/cilium/cilium/issues/37995), [@&#8203;nueavv](https://github.com/nueavv)) - docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37604](https://github.com/cilium/cilium/issues/37604), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - docs: use latest for rtd theme commit with fixed version selector (Backport PR [#&#8203;37614](https://github.com/cilium/cilium/issues/37614), Upstream PR [#&#8203;37421](https://github.com/cilium/cilium/issues/37421), [@&#8203;ayuspin](https://github.com/ayuspin)) - envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37683](https://github.com/cilium/cilium/issues/37683), [@&#8203;marseel](https://github.com/marseel)) - Fix API generation and add trusted dependencies to renovate config (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;36957](https://github.com/cilium/cilium/issues/36957), [@&#8203;aanm](https://github.com/aanm)) - Fix API generation and add trusted dependencies to renovate config (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;36957](https://github.com/cilium/cilium/issues/36957), [@&#8203;aanm](https://github.com/aanm)) - Fix helm value for IPAM Multi-Pool (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37963](https://github.com/cilium/cilium/issues/37963), [@&#8203;saintdle](https://github.com/saintdle)) - fqdn/dnsproxy: use `netip.Addr` for `DNSProxy.usedServers` (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;37985](https://github.com/cilium/cilium/issues/37985), [@&#8203;tklauser](https://github.com/tklauser)) - gha: Update the helm flag for TLS related test (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37428](https://github.com/cilium/cilium/issues/37428), [@&#8203;sayboras](https://github.com/sayboras)) - ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport PR [#&#8203;38104](https://github.com/cilium/cilium/issues/38104), Upstream PR [#&#8203;38021](https://github.com/cilium/cilium/issues/38021), [@&#8203;christarazi](https://github.com/christarazi)) - labels: fix TestNewFrom test (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37846](https://github.com/cilium/cilium/issues/37846), [@&#8203;giorio94](https://github.com/giorio94)) - Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37399](https://github.com/cilium/cilium/issues/37399), [@&#8203;ritwikranjan](https://github.com/ritwikranjan)) - operator: Explicitly init the FQDN regex LRU cache (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37366](https://github.com/cilium/cilium/issues/37366), [@&#8203;christarazi](https://github.com/christarazi)) - pkg/hive: always use default logger when decorating cells (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37636](https://github.com/cilium/cilium/issues/37636), [@&#8203;aanm](https://github.com/aanm)) - policy: Skip iteration when proxy port priority is zero (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37422](https://github.com/cilium/cilium/issues/37422), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR [#&#8203;37904](https://github.com/cilium/cilium/issues/37904), Upstream PR [#&#8203;37806](https://github.com/cilium/cilium/issues/37806), [@&#8203;rolinh](https://github.com/rolinh)) - Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See [v0.13.2](https://github.com/cilium/hubble-ui/releases/tag/v0.13.2) for more details (Backport PR [#&#8203;37742](https://github.com/cilium/cilium/issues/37742), Upstream PR [#&#8203;37631](https://github.com/cilium/cilium/issues/37631), [@&#8203;yannikmesserli](https://github.com/yannikmesserli)) - use runtime image set by env var action in build and lint (Backport PR [#&#8203;37648](https://github.com/cilium/cilium/issues/37648), Upstream PR [#&#8203;37253](https://github.com/cilium/cilium/issues/37253), [@&#8203;Artyop](https://github.com/Artyop)) **Other Changes:** - \[v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" ([#&#8203;38101](https://github.com/cilium/cilium/issues/38101), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Backport set runtime action 1.17 ([#&#8203;37854](https://github.com/cilium/cilium/issues/37854), [@&#8203;Artyop](https://github.com/Artyop)) - gha: Update GatewayAPI conformance report ([#&#8203;37671](https://github.com/cilium/cilium/issues/37671), [@&#8203;sayboras](https://github.com/sayboras)) - install: Update image digests for v1.17.1 ([#&#8203;37580](https://github.com/cilium/cilium/issues/37580), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - v1.17: gh/workflows: Remove conformance-externalworkloads ([#&#8203;37738](https://github.com/cilium/cilium/issues/37738), [@&#8203;brb](https://github.com/brb)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.17.2@&#8203;sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1` `quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.17.2@&#8203;sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398` `quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.17.2@&#8203;sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c` `quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.17.2@&#8203;sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc` `quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.17.2@&#8203;sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe` `quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe` ##### operator-aws `quay.io/cilium/operator-aws:v1.17.2@&#8203;sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c` `quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c` ##### operator-azure `quay.io/cilium/operator-azure:v1.17.2@&#8203;sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0` `quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0` ##### operator-generic `quay.io/cilium/operator-generic:v1.17.2@&#8203;sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249` `quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249` ##### operator `quay.io/cilium/operator:v1.17.2@&#8203;sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419` `quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419` ### [`v1.17.1`](https://github.com/cilium/cilium/releases/tag/v1.17.1): 1.17.1 [Compare Source](https://github.com/cilium/cilium/compare/1.17.0...1.17.1) ## Summary of Changes **Minor Changes:** - \[v1.17] agent: Deprecate lb-only mode ([#&#8203;37391](https://github.com/cilium/cilium/issues/37391), [@&#8203;brb](https://github.com/brb)) - helm: Update CiliumNodeConfig version (Backport PR [#&#8203;37440](https://github.com/cilium/cilium/issues/37440), Upstream PR [#&#8203;37403](https://github.com/cilium/cilium/issues/37403), [@&#8203;sayboras](https://github.com/sayboras)) **Bugfixes:** - ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR [#&#8203;37416](https://github.com/cilium/cilium/issues/37416), Upstream PR [#&#8203;37347](https://github.com/cilium/cilium/issues/37347), [@&#8203;gandro](https://github.com/gandro)) - socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR [#&#8203;37440](https://github.com/cilium/cilium/issues/37440), Upstream PR [#&#8203;37426](https://github.com/cilium/cilium/issues/37426), [@&#8203;alvaroaleman](https://github.com/alvaroaleman)) **CI Changes:** - test: Move the dind image to Quay to avoid rate-limiting (Backport PR [#&#8203;37440](https://github.com/cilium/cilium/issues/37440), Upstream PR [#&#8203;37388](https://github.com/cilium/cilium/issues/37388), [@&#8203;pchaigno](https://github.com/pchaigno)) **Misc Changes:** - chore(deps): update all github action dependencies (v1.17) ([#&#8203;37502](https://github.com/cilium/cilium/issues/37502), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.17) ([#&#8203;37342](https://github.com/cilium/cilium/issues/37342), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) ([#&#8203;37501](https://github.com/cilium/cilium/issues/37501), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.6 (v1.17) ([#&#8203;37446](https://github.com/cilium/cilium/issues/37446), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.17) (patch) ([#&#8203;37409](https://github.com/cilium/cilium/issues/37409), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.17) (patch) ([#&#8203;37496](https://github.com/cilium/cilium/issues/37496), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) **Other Changes:** - install: Update image digests for v1.17.0 ([#&#8203;37432](https://github.com/cilium/cilium/issues/37432), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.17.1@&#8203;sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866` `quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.17.1@&#8203;sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c` `quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.17.1@&#8203;sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71` `quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.17.1@&#8203;sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc` `quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.17.1@&#8203;sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c` `quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c` ##### operator-aws `quay.io/cilium/operator-aws:v1.17.1@&#8203;sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6` `quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6` ##### operator-azure `quay.io/cilium/operator-azure:v1.17.1@&#8203;sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b` `quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b` ##### operator-generic `quay.io/cilium/operator-generic:v1.17.1@&#8203;sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97` `quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97` ##### operator `quay.io/cilium/operator:v1.17.1@&#8203;sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89` `quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89` ### [`v1.17.0`](https://github.com/cilium/cilium/releases/tag/v1.17.0): 1.17.0 [Compare Source](https://github.com/cilium/cilium/compare/1.16.9...1.17.0) We are excited to announce the **Cilium** **1.17.0** release! A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! :star_struck: To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in v1.17.0: :mountain_cableway: **Networking** - :vertical_traffic_light: **Quality of Service:** Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority ([#&#8203;36025](https://github.com/cilium/cilium/issues/36025), [@&#8203;hemanthmalla](https://github.com/hemanthmalla)) - :globe_with_meridians: **Multi-Cluster Service API:** Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh ([#&#8203;34439](https://github.com/cilium/cilium/issues/34439), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - :twisted_rightwards_arrows: **Load Balance based on L4 Protocol:** Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends ([#&#8203;33434](https://github.com/cilium/cilium/issues/33434), [@&#8203;jibi](https://github.com/jibi)) - :magnet: **Per-Service LB Algorithms:** Choose maglev or random load balancing algorithms for individual services ([#&#8203;35735](https://github.com/cilium/cilium/issues/35735), [@&#8203;kl52752](https://github.com/kl52752)) - :no_entry: **Deny lists for Service source ranges:** Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list ([#&#8203;36120](https://github.com/cilium/cilium/issues/36120), [@&#8203;borkmann](https://github.com/borkmann)) - :swimmer: **Better control over IPAM:** IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools ([#&#8203;34622](https://github.com/cilium/cilium/issues/34622), [@&#8203;antonipp](https://github.com/antonipp); [#&#8203;34618](https://github.com/cilium/cilium/issues/34618), [@&#8203;juliusmh](https://github.com/juliusmh)) - :electric_plug: **Dynamic MTU detection:** Cilium respects changes made to MTU made at runtime without requiring agent restart ([#&#8203;34314](https://github.com/cilium/cilium/issues/34314), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) :guardswoman: **Security** - :rocket: **Improved network policy performance:** The cost of computing complex combinations of network policies has been reduced (Various PRs by [@&#8203;joamaki](https://github.com/joamaki), [@&#8203;jrajahalme](https://github.com/jrajahalme), [@&#8203;marseel](https://github.com/marseel), [@&#8203;nathanjsweet](https://github.com/nathanjsweet), [@&#8203;squeed](https://github.com/squeed) and [@&#8203;youngnick](https://github.com/youngnick)) - :card_index_dividers: **Prioritize critical network policies:** Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices ([#&#8203;34199](https://github.com/cilium/cilium/issues/34199), [@&#8203;Kaczyniec](https://github.com/Kaczyniec)) - :clipboard: **Validate Network Policies:** Receive better feedback from Kubernetes when creating network policies ([#&#8203;34585](https://github.com/cilium/cilium/issues/34585), [@&#8203;squeed](https://github.com/squeed); [#&#8203;35904](https://github.com/cilium/cilium/issues/35904), [@&#8203;renyunkang](https://github.com/renyunkang); [#&#8203;36598](https://github.com/cilium/cilium/issues/36598), [@&#8203;pippolo84](https://github.com/pippolo84)) - :label: **Select CIDRGroups by Label:** Add labels to CIDRGroups and use these for network policy selection ([#&#8203;36087](https://github.com/cilium/cilium/issues/36087), [@&#8203;squeed](https://github.com/squeed)) - :bellhop_bell: **Extend ToServices for in-cluster services:** Services with a selector can be selected with ToServices network policies statements ([#&#8203;34208](https://github.com/cilium/cilium/issues/34208), [@&#8203;chaunceyjiang](https://github.com/chaunceyjiang)) - :construction: **FQDN Filtering for hostNetwork:** Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster ([#&#8203;34024](https://github.com/cilium/cilium/issues/34024), [@&#8203;atykhyy](https://github.com/atykhyy)) - :signal_strength: **HTTP policies on port ranges:** Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic ([#&#8203;36056](https://github.com/cilium/cilium/issues/36056), [@&#8203;jrajahalme](https://github.com/jrajahalme)) :spider_web: **Service Mesh & Gateway API** - :shinto_shrine: **Gateway API 1.2.1:** Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions ([#&#8203;34720](https://github.com/cilium/cilium/issues/34720), [@&#8203;sayboras](https://github.com/sayboras)) - :memo: **Static Gateway Addressing:** Cilium now supports statically specifying addresses for gateways ([#&#8203;33042](https://github.com/cilium/cilium/issues/33042), [@&#8203;chaunceyjiang](https://github.com/chaunceyjiang)) - :closed_lock_with_key: **Improved Envoy TLS handling:** Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access ([#&#8203;35513](https://github.com/cilium/cilium/issues/35513), [@&#8203;youngnick](https://github.com/youngnick)) :artificial_satellite: **Observability** - :mag: **Dynamic Hubble Metrics:** Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability ([#&#8203;35185](https://github.com/cilium/cilium/issues/35185), [@&#8203;rectified95](https://github.com/rectified95)) - :railway_track: **Track enabled features using Prometheus:** The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. ([#&#8203;35852](https://github.com/cilium/cilium/issues/35852), [@&#8203;aanm](https://github.com/aanm)) - :bar_chart: **Many new metrics:** Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various PRs by [@&#8203;AwesomePatrol](https://github.com/AwesomePatrol), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla), [@&#8203;joestringer](https://github.com/joestringer), [@&#8203;jshr-w](https://github.com/jshr-w), [@&#8203;mikejoh](https://github.com/mikejoh), [@&#8203;nimishamehta5](https://github.com/nimishamehta5), [@&#8203;odinuge](https://github.com/odinuge), [@&#8203;ovidiutirla](https://github.com/ovidiutirla), [@&#8203;rectified95](https://github.com/rectified95) and [@&#8203;sjdot](https://github.com/sjdot)) :sunrise: **Scale** - :chart_with_upwards_trend: **Better cluster connectivity checking:** The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale ([#&#8203;35163](https://github.com/cilium/cilium/issues/35163), [@&#8203;jshr-w](https://github.com/jshr-w)) - :hourglass_flowing_sand: **Rate-limit monitor events:** Balance the number of eBPF events against the CPU usage required to process them ([#&#8203;29711](https://github.com/cilium/cilium/issues/29711), [@&#8203;siwiutki](https://github.com/siwiutki)) - :busts_in_silhouette: **Double-Write Identity mode:** New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends ([#&#8203;31920](https://github.com/cilium/cilium/issues/31920), [@&#8203;antonipp](https://github.com/antonipp)) - :balance_scale: **Better scale testing:** This release benefits from regular automated scale testing for network policy ([#&#8203;35278](https://github.com/cilium/cilium/issues/35278), [@&#8203;marseel](https://github.com/marseel)) :houses: **Community** - :heart: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [Seznam](https://www.cncf.io/case-studies/seznam/), [Alibaba Cloud](https://www.cncf.io/case-studies/alibaba/), [SysEleven](https://www.cncf.io/case-studies/syseleven/), [QingCloud](https://www.cncf.io/case-studies/qingcloud/), [ECCO](https://www.youtube.com/watch?v=Ennjmo9TFaM), [Reddit](https://www.youtube.com/watch?v=YNDp7Id7Bbs), [Confluent](https://www.youtube.com/watch?v=vOSiVeBXYpM), [SamsungAds](https://www.youtube.com/watch?v=2KlVTx611bk), and [Sony](https://www.youtube.com/watch?v=M0PincxlHpI) - The [Cilium Annual Report 2024](https://github.com/cilium/cilium.io/blob/main/Annual-Reports/Cilium_Annual_Report\_2024.pdf) was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking” - The community gathered at [Cilium + eBPF Day](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/cilium-ebpf-day/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2024-NA) in Salt Lake City - Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://docs.google.com/forms/d/e/1FAIpQLSd8E1dtCYiwqcw1MemQU3RDKlIQNBi2dRVMVGqDPgSow9mKjA/viewform?usp=header) in London And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. :heart: :heart: :heart: For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.17.0@&#8203;sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d` `quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.17.0@&#8203;sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c` `quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.17.0@&#8203;sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f` `quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.17.0@&#8203;sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05` `quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.17.0@&#8203;sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b` `quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b` ##### operator-aws `quay.io/cilium/operator-aws:v1.17.0@&#8203;sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7` `quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7` ##### operator-azure `quay.io/cilium/operator-azure:v1.17.0@&#8203;sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7` `quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7` ##### operator-generic `quay.io/cilium/operator-generic:v1.17.0@&#8203;sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8` `quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8` ##### operator `quay.io/cilium/operator:v1.17.0@&#8203;sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587` `quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587` ### [`v1.16.9`](https://github.com/cilium/cilium/releases/tag/v1.16.9): 1.16.9 [Compare Source](https://github.com/cilium/cilium/compare/1.16.8...1.16.9) ## Summary of Changes **Minor Changes:** - Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR [#&#8203;38400](https://github.com/cilium/cilium/issues/38400), Upstream PR [#&#8203;37936](https://github.com/cilium/cilium/issues/37936), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;35900](https://github.com/cilium/cilium/issues/35900), [@&#8203;smagnani96](https://github.com/smagnani96)) **Bugfixes:** - bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;38592](https://github.com/cilium/cilium/issues/38592), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Fix panic caused in dual cluster setups where LRPs with `skipRedirectFromBackend` flag set to true are installed and IPv6 is disabled. (Backport PR [#&#8203;38701](https://github.com/cilium/cilium/issues/38701), Upstream PR [#&#8203;38656](https://github.com/cilium/cilium/issues/38656), [@&#8203;aditighag](https://github.com/aditighag)) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;38737](https://github.com/cilium/cilium/issues/38737), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - build: update golangci-lint to v2.0.0 (Backport PR [#&#8203;38631](https://github.com/cilium/cilium/issues/38631), Upstream PR [#&#8203;38473](https://github.com/cilium/cilium/issues/38473), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - ci: build CI images within merge group (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38065](https://github.com/cilium/cilium/issues/38065), [@&#8203;marseel](https://github.com/marseel)) - ci: prepare CI Image build for being required (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38320](https://github.com/cilium/cilium/issues/38320), [@&#8203;marseel](https://github.com/marseel)) - Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38264](https://github.com/cilium/cilium/issues/38264), [@&#8203;smagnani96](https://github.com/smagnani96)) - Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38290](https://github.com/cilium/cilium/issues/38290), [@&#8203;smagnani96](https://github.com/smagnani96)) - Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38281](https://github.com/cilium/cilium/issues/38281), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38265](https://github.com/cilium/cilium/issues/38265), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38292](https://github.com/cilium/cilium/issues/38292), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38291](https://github.com/cilium/cilium/issues/38291), [@&#8203;smagnani96](https://github.com/smagnani96)) - gh: aws-cni: set --enable-identity-mark=false option (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;38738](https://github.com/cilium/cilium/issues/38738), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;37551](https://github.com/cilium/cilium/issues/37551), [@&#8203;jschwinger233](https://github.com/jschwinger233)) - gh: update naming for bpftrace leak detection script (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;37865](https://github.com/cilium/cilium/issues/37865), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38278](https://github.com/cilium/cilium/issues/38278), [@&#8203;smagnani96](https://github.com/smagnani96)) - Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38293](https://github.com/cilium/cilium/issues/38293), [@&#8203;smagnani96](https://github.com/smagnani96)) - Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38266](https://github.com/cilium/cilium/issues/38266), [@&#8203;smagnani96](https://github.com/smagnani96)) - Refactoring and code comments for the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38263](https://github.com/cilium/cilium/issues/38263), [@&#8203;smagnani96](https://github.com/smagnani96)) - Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38297](https://github.com/cilium/cilium/issues/38297), [@&#8203;smagnani96](https://github.com/smagnani96)) - Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38280](https://github.com/cilium/cilium/issues/38280), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38289](https://github.com/cilium/cilium/issues/38289), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38289](https://github.com/cilium/cilium/issues/38289), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#&#8203;38521](https://github.com/cilium/cilium/issues/38521), Upstream PR [#&#8203;38287](https://github.com/cilium/cilium/issues/38287), [@&#8203;smagnani96](https://github.com/smagnani96)) - Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR [#&#8203;38741](https://github.com/cilium/cilium/issues/38741), Upstream PR [#&#8203;38268](https://github.com/cilium/cilium/issues/38268), [@&#8203;smagnani96](https://github.com/smagnani96)) - test: Update FQDN related domain and IP (Backport PR [#&#8203;38770](https://github.com/cilium/cilium/issues/38770), Upstream PR [#&#8203;38754](https://github.com/cilium/cilium/issues/38754), [@&#8203;sayboras](https://github.com/sayboras)) **Misc Changes:** - \[v1.16] deps: bump github.com/containerd/containerd to v1.7.27 ([#&#8203;38496](https://github.com/cilium/cilium/issues/38496), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - \[v1.16] deps: Bump package x/net ([#&#8203;38323](https://github.com/cilium/cilium/issues/38323), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - \[v1.16] deps: bump package x/oauth2 ([#&#8203;38404](https://github.com/cilium/cilium/issues/38404), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - \[v1.16]: deps: bump x/net to v0.38.0 ([#&#8203;38781](https://github.com/cilium/cilium/issues/38781), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;37956](https://github.com/cilium/cilium/issues/37956), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR [#&#8203;38747](https://github.com/cilium/cilium/issues/38747), Upstream PR [#&#8203;38430](https://github.com/cilium/cilium/issues/38430), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;38347](https://github.com/cilium/cilium/issues/38347), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;38515](https://github.com/cilium/cilium/issues/38515), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) (patch) ([#&#8203;38346](https://github.com/cilium/cilium/issues/38346), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;38304](https://github.com/cilium/cilium/issues/38304), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;38442](https://github.com/cilium/cilium/issues/38442), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;38543](https://github.com/cilium/cilium/issues/38543), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) ([#&#8203;38731](https://github.com/cilium/cilium/issues/38731), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) ([#&#8203;38348](https://github.com/cilium/cilium/issues/38348), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) ([#&#8203;38714](https://github.com/cilium/cilium/issues/38714), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.36.1 docker digest to [`e246aa2`](https://github.com/cilium/cilium/commit/e246aa2) (v1.16) ([#&#8203;38344](https://github.com/cilium/cilium/issues/38344), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) ([#&#8203;38613](https://github.com/cilium/cilium/issues/38613), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.8 (v1.16) ([#&#8203;38345](https://github.com/cilium/cilium/issues/38345), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) ([#&#8203;38258](https://github.com/cilium/cilium/issues/38258), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) ([#&#8203;38385](https://github.com/cilium/cilium/issues/38385), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) ([#&#8203;38672](https://github.com/cilium/cilium/issues/38672), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) ([#&#8203;38774](https://github.com/cilium/cilium/issues/38774), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;38317](https://github.com/cilium/cilium/issues/38317), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;38614](https://github.com/cilium/cilium/issues/38614), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;38832](https://github.com/cilium/cilium/issues/38832), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38173](https://github.com/cilium/cilium/issues/38173), [@&#8203;yrsuthari](https://github.com/yrsuthari)) - docs: clarify hubble flow filter match semantics (Backport PR [#&#8203;38701](https://github.com/cilium/cilium/issues/38701), Upstream PR [#&#8203;38657](https://github.com/cilium/cilium/issues/38657), [@&#8203;devodev](https://github.com/devodev)) - docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38231](https://github.com/cilium/cilium/issues/38231), [@&#8203;rastislavs](https://github.com/rastislavs)) - docs: Update LLVM requirements to 18.1 (Backport PR [#&#8203;38342](https://github.com/cilium/cilium/issues/38342), Upstream PR [#&#8203;38294](https://github.com/cilium/cilium/issues/38294), [@&#8203;gentoo-root](https://github.com/gentoo-root)) - Documentation: "cilium config set" restarts by default (Backport PR [#&#8203;38299](https://github.com/cilium/cilium/issues/38299), Upstream PR [#&#8203;38114](https://github.com/cilium/cilium/issues/38114), [@&#8203;joamaki](https://github.com/joamaki)) - Documentation: fix mentions of per-node `cilium-dbg` tool (Backport PR [#&#8203;38299](https://github.com/cilium/cilium/issues/38299), Upstream PR [#&#8203;38276](https://github.com/cilium/cilium/issues/38276), [@&#8203;tklauser](https://github.com/tklauser)) - images: bump distroless to static (Backport PR [#&#8203;38695](https://github.com/cilium/cilium/issues/38695), Upstream PR [#&#8203;38647](https://github.com/cilium/cilium/issues/38647), [@&#8203;kaworu](https://github.com/kaworu)) - pkg/controller: fix data race in update params locked (Backport PR [#&#8203;38525](https://github.com/cilium/cilium/issues/38525), Upstream PR [#&#8203;38327](https://github.com/cilium/cilium/issues/38327), [@&#8203;aanm](https://github.com/aanm)) - pkg/endpoint: fix race in unit test (Backport PR [#&#8203;38299](https://github.com/cilium/cilium/issues/38299), Upstream PR [#&#8203;38129](https://github.com/cilium/cilium/issues/38129), [@&#8203;squeed](https://github.com/squeed)) - remove the endpointRoutes for aws cni in the doc (Backport PR [#&#8203;38701](https://github.com/cilium/cilium/issues/38701), Upstream PR [#&#8203;38381](https://github.com/cilium/cilium/issues/38381), [@&#8203;liyihuang](https://github.com/liyihuang)) **Other Changes:** - \[v1.16] hubble: fix flowfilter flag parsing allowing only one filter ([#&#8203;38794](https://github.com/cilium/cilium/issues/38794), [@&#8203;devodev](https://github.com/devodev)) - \[v1.16] proxy: Bump envoy version to 1.32.x ([#&#8203;38307](https://github.com/cilium/cilium/issues/38307), [@&#8203;sayboras](https://github.com/sayboras)) - fix AWS ENI IPAM mode performance regression in the Operator when `--update-ec2-adapter-limit-via-api` is set to `true` ([#&#8203;38533](https://github.com/cilium/cilium/issues/38533), [@&#8203;antonipp](https://github.com/antonipp)) - gha: Skip HTTPRouteServiceTypes test ([#&#8203;38343](https://github.com/cilium/cilium/issues/38343), [@&#8203;sayboras](https://github.com/sayboras)) - install: Update image digests for v1.16.8 ([#&#8203;38207](https://github.com/cilium/cilium/issues/38207), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.9@&#8203;sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.9@&#8203;sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.9@&#8203;sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.9@&#8203;sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.9@&#8203;sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.9@&#8203;sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.9@&#8203;sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.9@&#8203;sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7` ##### operator `quay.io/cilium/operator:v1.16.9@&#8203;sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee` ### [`v1.16.8`](https://github.com/cilium/cilium/releases/tag/v1.16.8): 1.16.8 [Compare Source](https://github.com/cilium/cilium/compare/1.16.7...1.16.8) ## Summary of Changes **Minor Changes:** - docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR [#&#8203;38106](https://github.com/cilium/cilium/issues/38106), Upstream PR [#&#8203;37989](https://github.com/cilium/cilium/issues/37989), [@&#8203;oblazek](https://github.com/oblazek)) - Increase granularity of the `api_duration_seconds` metric buckets (Backport PR [#&#8203;38014](https://github.com/cilium/cilium/issues/38014), Upstream PR [#&#8203;37365](https://github.com/cilium/cilium/issues/37365), [@&#8203;jaredledvina](https://github.com/jaredledvina)) **Bugfixes:** - Do not auto detect / auto select IPoIB devices (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;37553](https://github.com/cilium/cilium/issues/37553), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Egress route reconciliation (Backport PR [#&#8203;38120](https://github.com/cilium/cilium/issues/38120), Upstream PR [#&#8203;37962](https://github.com/cilium/cilium/issues/37962), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37419](https://github.com/cilium/cilium/issues/37419), [@&#8203;javanthropus](https://github.com/javanthropus)) - Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37818](https://github.com/cilium/cilium/issues/37818), [@&#8203;haozhangami](https://github.com/haozhangami)) - Fix the `--dns-policy-unload-on-shutdown` feature for restored endpoints (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;37532](https://github.com/cilium/cilium/issues/37532), [@&#8203;antonipp](https://github.com/antonipp)) - fix: cilium-config configmap was incorrectly resulting in values like `2.09715…2e+06` instead of `2097152` (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;37236](https://github.com/cilium/cilium/issues/37236), [@&#8203;dee-kryvenko](https://github.com/dee-kryvenko)) - Fix: cilium-operator no longer patches services on shutdown (Backport PR [#&#8203;38106](https://github.com/cilium/cilium/issues/38106), Upstream PR [#&#8203;37967](https://github.com/cilium/cilium/issues/37967), [@&#8203;rsafonseca](https://github.com/rsafonseca)) - helm: fix large number handling (Backport PR [#&#8203;37743](https://github.com/cilium/cilium/issues/37743), Upstream PR [#&#8203;37670](https://github.com/cilium/cilium/issues/37670), [@&#8203;justin0u0](https://github.com/justin0u0)) - hubble: escape terminal special characters from observe output (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;37401](https://github.com/cilium/cilium/issues/37401), [@&#8203;devodev](https://github.com/devodev)) - identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR [#&#8203;38014](https://github.com/cilium/cilium/issues/38014), Upstream PR [#&#8203;36657](https://github.com/cilium/cilium/issues/36657), [@&#8203;oblazek](https://github.com/oblazek)) - Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR [#&#8203;38106](https://github.com/cilium/cilium/issues/38106), Upstream PR [#&#8203;38029](https://github.com/cilium/cilium/issues/38029), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - .github: Remove misleading step from ipsec workflow (Backport PR [#&#8203;37743](https://github.com/cilium/cilium/issues/37743), Upstream PR [#&#8203;37681](https://github.com/cilium/cilium/issues/37681), [@&#8203;joestringer](https://github.com/joestringer)) - bgpv1: wait for watchers to be ready in tests (Backport PR [#&#8203;38014](https://github.com/cilium/cilium/issues/38014), Upstream PR [#&#8203;37884](https://github.com/cilium/cilium/issues/37884), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - ci: add leak detection to conformance-ipsec-upgrade (Backport PR [#&#8203;36575](https://github.com/cilium/cilium/issues/36575), Upstream PR [#&#8203;36377](https://github.com/cilium/cilium/issues/36377), [@&#8203;smagnani96](https://github.com/smagnani96)) - CI: GKE backslash missing disable insecure kubelet (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37850](https://github.com/cilium/cilium/issues/37850), [@&#8203;auriaave](https://github.com/auriaave)) - CI: GKE, disable insecure kubelet readonly port (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37844](https://github.com/cilium/cilium/issues/37844), [@&#8203;auriaave](https://github.com/auriaave)) - ci: switch to monitor aggregation medium (Backport PR [#&#8203;38106](https://github.com/cilium/cilium/issues/38106), Upstream PR [#&#8203;38036](https://github.com/cilium/cilium/issues/38036), [@&#8203;marseel](https://github.com/marseel)) - Cleanups after LLVM upgrade. (Backport PR [#&#8203;37801](https://github.com/cilium/cilium/issues/37801), Upstream PR [#&#8203;32067](https://github.com/cilium/cilium/issues/32067), [@&#8203;gentoo-root](https://github.com/gentoo-root)) **Misc Changes:** - \[v1.16] docs: Update requirements.txt dependencies ([#&#8203;37616](https://github.com/cilium/cilium/issues/37616), [@&#8203;joestringer](https://github.com/joestringer)) - allocator: correctly propagate context to RunGC call (Backport PR [#&#8203;37743](https://github.com/cilium/cilium/issues/37743), Upstream PR [#&#8203;36034](https://github.com/cilium/cilium/issues/36034), [@&#8203;giorio94](https://github.com/giorio94)) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;37952](https://github.com/cilium/cilium/issues/37952), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;37997](https://github.com/cilium/cilium/issues/37997), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;38049](https://github.com/cilium/cilium/issues/38049), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) ([#&#8203;37951](https://github.com/cilium/cilium/issues/37951), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.7 (v1.16) ([#&#8203;37998](https://github.com/cilium/cilium/issues/37998), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 \[security] (v1.16) ([#&#8203;37834](https://github.com/cilium/cilium/issues/37834), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) ([#&#8203;38149](https://github.com/cilium/cilium/issues/38149), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: fix broken links (Backport PR [#&#8203;38106](https://github.com/cilium/cilium/issues/38106), Upstream PR [#&#8203;37995](https://github.com/cilium/cilium/issues/37995), [@&#8203;nueavv](https://github.com/nueavv)) - Fix API generation and add trusted dependencies to renovate config (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;36957](https://github.com/cilium/cilium/issues/36957), [@&#8203;aanm](https://github.com/aanm)) - Fix helm value for IPAM Multi-Pool (Backport PR [#&#8203;38014](https://github.com/cilium/cilium/issues/38014), Upstream PR [#&#8203;37963](https://github.com/cilium/cilium/issues/37963), [@&#8203;saintdle](https://github.com/saintdle)) - labels: fix TestNewFrom test (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37846](https://github.com/cilium/cilium/issues/37846), [@&#8203;giorio94](https://github.com/giorio94)) - Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR [#&#8203;37647](https://github.com/cilium/cilium/issues/37647), Upstream PR [#&#8203;37399](https://github.com/cilium/cilium/issues/37399), [@&#8203;ritwikranjan](https://github.com/ritwikranjan)) - Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR [#&#8203;37900](https://github.com/cilium/cilium/issues/37900), Upstream PR [#&#8203;37806](https://github.com/cilium/cilium/issues/37806), [@&#8203;rolinh](https://github.com/rolinh)) - wireguard: attach Ingress program for native routing mode configurations (Backport PR [#&#8203;38117](https://github.com/cilium/cilium/issues/38117), Upstream PR [#&#8203;37108](https://github.com/cilium/cilium/issues/37108), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **Other Changes:** - \[v1.16] images: update cilium-{runtime,builder} ([#&#8203;38054](https://github.com/cilium/cilium/issues/38054), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.16.7 ([#&#8203;37709](https://github.com/cilium/cilium/issues/37709), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - v1.16: gh/workflows: Remove conformance-externalworkloads ([#&#8203;37739](https://github.com/cilium/cilium/issues/37739), [@&#8203;brb](https://github.com/brb)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.8@&#8203;sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.8@&#8203;sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.8@&#8203;sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.8@&#8203;sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.8@&#8203;sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.8@&#8203;sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.8@&#8203;sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.8@&#8203;sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d` ##### operator `quay.io/cilium/operator:v1.16.8@&#8203;sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220` ### [`v1.16.7`](https://github.com/cilium/cilium/releases/tag/v1.16.7): 1.16.7 [Compare Source](https://github.com/cilium/cilium/compare/1.16.6...1.16.7) ## Summary of Changes **Minor Changes:** - Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR [#&#8203;37124](https://github.com/cilium/cilium/issues/37124), Upstream PR [#&#8203;36598](https://github.com/cilium/cilium/issues/36598), [@&#8203;pippolo84](https://github.com/pippolo84)) - doc: Added hostLegacyRouting limitation for Talos (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36852](https://github.com/cilium/cilium/issues/36852), [@&#8203;PhilipSchmid](https://github.com/PhilipSchmid)) **Bugfixes:** - agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37188](https://github.com/cilium/cilium/issues/37188), [@&#8203;aetimmes](https://github.com/aetimmes)) - Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37123](https://github.com/cilium/cilium/issues/37123), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR [#&#8203;37417](https://github.com/cilium/cilium/issues/37417), Upstream PR [#&#8203;37347](https://github.com/cilium/cilium/issues/37347), [@&#8203;gandro](https://github.com/gandro)) - envoy: add configurable access log buffer size (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36823](https://github.com/cilium/cilium/issues/36823), [@&#8203;aetimmes](https://github.com/aetimmes)) - Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36929](https://github.com/cilium/cilium/issues/36929), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37085](https://github.com/cilium/cilium/issues/37085), [@&#8203;giorio94](https://github.com/giorio94)) - Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;37086](https://github.com/cilium/cilium/issues/37086), [@&#8203;giorio94](https://github.com/giorio94)) - Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36103](https://github.com/cilium/cilium/issues/36103), [@&#8203;viktor-kurchenko](https://github.com/viktor-kurchenko)) - maps/nat/stats: Use Start context when waiting for maps (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37262](https://github.com/cilium/cilium/issues/37262), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles)) - nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37282](https://github.com/cilium/cilium/issues/37282), [@&#8203;ayuspin](https://github.com/ayuspin)) - Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36504](https://github.com/cilium/cilium/issues/36504), [@&#8203;viktor-kurchenko](https://github.com/viktor-kurchenko)) - socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR [#&#8203;37441](https://github.com/cilium/cilium/issues/37441), Upstream PR [#&#8203;37426](https://github.com/cilium/cilium/issues/37426), [@&#8203;alvaroaleman](https://github.com/alvaroaleman)) **CI Changes:** - \[v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI ([#&#8203;37380](https://github.com/cilium/cilium/issues/37380), [@&#8203;giorio94](https://github.com/giorio94)) - gh: harmonize lvh kernel naming scheme (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37322](https://github.com/cilium/cilium/issues/37322), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: update removed --loglevel option for kind (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36935](https://github.com/cilium/cilium/issues/36935), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gha: bump ubuntu version in conformance-externalworkloads (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36859](https://github.com/cilium/cilium/issues/36859), [@&#8203;giorio94](https://github.com/giorio94)) - gha: correctly downgrade to patch release in ipsec workflows (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36858](https://github.com/cilium/cilium/issues/36858), [@&#8203;giorio94](https://github.com/giorio94)) - gha: fix retrieval of DNS server in conformance external workloads (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37361](https://github.com/cilium/cilium/issues/37361), [@&#8203;giorio94](https://github.com/giorio94)) - gha: Retrieve eks supported version via aws cli (Backport PR [#&#8203;37223](https://github.com/cilium/cilium/issues/37223), Upstream PR [#&#8203;37210](https://github.com/cilium/cilium/issues/37210), [@&#8203;sayboras](https://github.com/sayboras)) - Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36364](https://github.com/cilium/cilium/issues/36364), [@&#8203;smagnani96](https://github.com/smagnani96)) - Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36962](https://github.com/cilium/cilium/issues/36962), [@&#8203;smagnani96](https://github.com/smagnani96)) - test: Fix the flake for TestRestoredPort (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37106](https://github.com/cilium/cilium/issues/37106), [@&#8203;sayboras](https://github.com/sayboras)) - test: Move demo-httpd from Docker to Quay (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37149](https://github.com/cilium/cilium/issues/37149), [@&#8203;joestringer](https://github.com/joestringer)) - test: Move the dind image to Quay to avoid rate-limiting (Backport PR [#&#8203;37441](https://github.com/cilium/cilium/issues/37441), Upstream PR [#&#8203;37388](https://github.com/cilium/cilium/issues/37388), [@&#8203;pchaigno](https://github.com/pchaigno)) **Misc Changes:** - build: Remove debug leftover from Makefile (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36917](https://github.com/cilium/cilium/issues/36917), [@&#8203;gentoo-root](https://github.com/gentoo-root)) - chore(deps): update actions/setup-go action to v5.3.0 (v1.16) ([#&#8203;37117](https://github.com/cilium/cilium/issues/37117), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;37244](https://github.com/cilium/cilium/issues/37244), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;37505](https://github.com/cilium/cilium/issues/37505), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;37343](https://github.com/cilium/cilium/issues/37343), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;37550](https://github.com/cilium/cilium/issues/37550), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) ([#&#8203;37338](https://github.com/cilium/cilium/issues/37338), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) ([#&#8203;37215](https://github.com/cilium/cilium/issues/37215), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) ([#&#8203;37503](https://github.com/cilium/cilium/issues/37503), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.6 (v1.16) ([#&#8203;37497](https://github.com/cilium/cilium/issues/37497), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) ([#&#8203;37201](https://github.com/cilium/cilium/issues/37201), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;37411](https://github.com/cilium/cilium/issues/37411), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37326](https://github.com/cilium/cilium/issues/37326), [@&#8203;aanm](https://github.com/aanm)) - clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36602](https://github.com/cilium/cilium/issues/36602), [@&#8203;joestringer](https://github.com/joestringer)) - doc(glossary): Geneve as final RFC (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37316](https://github.com/cilium/cilium/issues/37316), [@&#8203;alagoutte](https://github.com/alagoutte)) - doc: ebpf host-routing and netfilter (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36921](https://github.com/cilium/cilium/issues/36921), [@&#8203;PhilipSchmid](https://github.com/PhilipSchmid)) - doc: eks cluster restriction removed (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37043](https://github.com/cilium/cilium/issues/37043), [@&#8203;viktor-kurchenko](https://github.com/viktor-kurchenko)) - doc: Removed nodeinit from aks byocni install (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;37048](https://github.com/cilium/cilium/issues/37048), [@&#8203;PhilipSchmid](https://github.com/PhilipSchmid)) - docs: Add SNI policy example (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37234](https://github.com/cilium/cilium/issues/37234), [@&#8203;sayboras](https://github.com/sayboras)) - docs: Clarify Identity-Relevant Labels description (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36924](https://github.com/cilium/cilium/issues/36924), [@&#8203;joestringer](https://github.com/joestringer)) - docs: Fix broken link in BGP control plane docs (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;37241](https://github.com/cilium/cilium/issues/37241), [@&#8203;mikejoh](https://github.com/mikejoh)) - docs: pass current_version to html_context (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;37008](https://github.com/cilium/cilium/issues/37008), [@&#8203;ayuspin](https://github.com/ayuspin)) - docs: Remove stale limitation on KPR+IPsec (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;37054](https://github.com/cilium/cilium/issues/37054), [@&#8203;pchaigno](https://github.com/pchaigno)) - images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR [#&#8203;37375](https://github.com/cilium/cilium/issues/37375), Upstream PR [#&#8203;34488](https://github.com/cilium/cilium/issues/34488), [@&#8203;tklauser](https://github.com/tklauser)) - proxy: Mark restored port as configured (Backport PR [#&#8203;37168](https://github.com/cilium/cilium/issues/37168), Upstream PR [#&#8203;36953](https://github.com/cilium/cilium/issues/36953), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Remove outdated roadmap matrix and links to it (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;37170](https://github.com/cilium/cilium/issues/37170), [@&#8203;xmulligan](https://github.com/xmulligan)) - remove stable tags from image build ([#&#8203;37394](https://github.com/cilium/cilium/issues/37394), [@&#8203;aanm](https://github.com/aanm)) - renovate: add fix grpc-go autodetection (Backport PR [#&#8203;37278](https://github.com/cilium/cilium/issues/37278), Upstream PR [#&#8203;33570](https://github.com/cilium/cilium/issues/33570), [@&#8203;aanm](https://github.com/aanm)) **Other Changes:** - \[v1.16] envoy: Bump envoy version to v1.31.x ([#&#8203;37157](https://github.com/cilium/cilium/issues/37157), [@&#8203;sayboras](https://github.com/sayboras)) - chore(deps): update go to v1.23.5 (v1.16) ([#&#8203;37189](https://github.com/cilium/cilium/issues/37189), [@&#8203;sayboras](https://github.com/sayboras)) - Do not leak ipcache entries when apiserver entities are cluster external ([#&#8203;36927](https://github.com/cilium/cilium/issues/36927), [@&#8203;antonipp](https://github.com/antonipp)) - install: Update image digests for v1.16.6 ([#&#8203;37154](https://github.com/cilium/cilium/issues/37154), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - Revert "chore(deps): update all-dependencies (v1.16)" ([#&#8203;37525](https://github.com/cilium/cilium/issues/37525), [@&#8203;sayboras](https://github.com/sayboras)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.7@&#8203;sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.7@&#8203;sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.7@&#8203;sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.7@&#8203;sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.7@&#8203;sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.7@&#8203;sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.7@&#8203;sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.7@&#8203;sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0` ##### operator `quay.io/cilium/operator:v1.16.7@&#8203;sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d` </details> <details> <summary>haproxytech/helm-charts (haproxy)</summary> ### [`v1.24.0`](https://github.com/haproxytech/helm-charts/releases/tag/haproxy-1.24.0) [Compare Source](https://github.com/haproxytech/helm-charts/compare/haproxy-1.23.0...haproxy-1.24.0) A Helm chart for HAProxy on Kubernetes </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4zMy4xIiwidXBkYXRlZEluVmVyIjoiMzkuMjAwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlIl19-->

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 0deb4608bf to 9657447379 2025-02-14 03:06:49 +00:00 Compare

renovate changed title from chore(deps): update helm release cilium to v1.17.0 to chore(deps): update helm release cilium to v1.17.1 2025-02-14 03:06:50 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 9657447379 to 9595b64b66 2025-02-23 03:07:37 +00:00 Compare

renovate changed title from chore(deps): update helm release cilium to v1.17.1 to chore(deps): update kubezero-network-dependencies 2025-02-23 03:07:43 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 9595b64b66 to eeef3d405d 2025-03-16 03:01:30 +00:00 Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from eeef3d405d to b5f3efc055 2025-04-15 03:02:53 +00:00 Compare

stefan merged commit 16b2e28fb1 into main 2025-04-23 16:14:49 +00:00

stefan deleted branch renovate/kubezero-network-kubezero-network-dependencies 2025-04-23 16:14:49 +00:00

stefan referenced this issue from a commit 2025-04-23 16:14:50 +00:00

Merge pull request 'chore(deps): update kubezero-network-dependencies' (#46) from renovate/kubezero-network-kubezero-network-dependencies into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jenkins renovate stefan

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: ZeroDownTime/KubeZero#46

No description provided.