daemon: Switch to new load-balancing control-plane #38469
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test |
658d6ec to
7a98cca
Compare
|
/test |
fe84755 to
f3f75fa
Compare
|
/test |
f3f75fa to
3619261
Compare
|
/test |
3619261 to
4891443
Compare
|
/test |
4891443 to
d6737ca
Compare
|
/test |
3c9137f to
87f0ccf
Compare
|
/test |
joamaki
commented
Mar 28, 2025
This comment was marked as resolved.
This comment was marked as resolved.
87f0ccf to
9208d73
Compare
|
/test |
mhofstetter
reviewed
Apr 4, 2025
9208d73 to
7768ad2
Compare
- Remove references to "experimental" - Remove the comparisons to prior control-plane - Add section on source code organization. - Add notice about using 'stress.sh'. - Add section on benchmarks. Signed-off-by: Jussi Maki <jussi@isovalent.com>
As with the prior implementation, keep the "cec" resources separate from
the "backendsync" resources since there can be multiple listeners referring to the
same clusters ("services") and these should be able to be changed separately,
e.g. listeners shouldn't need to be recomputed if backends change.
Switch to using prototext for rendering the envoy resources so that we're
checking for the whole message. Since prototext is on purpose not deterministic
don't compare the marshalled format but instead compare the unmarshalled messages.
Signed-off-by: Jussi Maki <jussi@isovalent.com>
Add the stress-test and watching scripts for working with the script tests. Signed-off-by: Jussi Maki <jussi@isovalent.com>
As the http connection manager references the route configurations we must generate one to avoid a timeout on Envoy side even if there are no routes. Signed-off-by: Jussi Maki <jussi@isovalent.com>
By adding the pods in one go the order in which they are processed is non-deterministic. Change the test to first add one pod and then after it has been processed add the second pod. Signed-off-by: Jussi Maki <jussi@isovalent.com>
48650e2 to
f557d26
Compare
|
/test |
joestringer
reviewed
Apr 15, 2025
I would suggest that there should be a release where there is the new version of the new control plane as well as the old one so that if there is a severe issue there's still the option to roll back to the old version. Forcing users over to the new implementation and finding out it's not solid enough can be discouraging for users. |
That is not feasible. We cannot maintain two complete control-plane implementations for a whole release without actually having full test coverage for both. There's lots of development happening now around these and they would quickly diverge. |
I'd say this release already exists, and it's
tbh I'm uncomfortable with the "forcing users" phrasing. I believe there's overall consensus that the new LB controlplane is a big step forward, and users will benefit from using it. At the same time - Cilium is a fast-moving project, and users will need to make a conscious decision whether they sufficiently care about the latest-greatest improvements, or prefer to move at a slower pace. |
|
I understand the concerns about maintaining two implementations and I think it's fair for us to say that instead of maintaining both in the same release, we focus our time on stabilizing the new implementation. @julianwiedmann's point that users have the liberty to pick which version they're going to run makes a lot of sense as well. Historically we've had some particularly nuanced upgrade scenarios where we really have needed to support old and new methods in the same version just to provide a good experience. I think I had extrapolated that this is generally required for all such transitions, but with consideration for this change I realize that this is not always the case. We have options around how we can mitigate these risks - both in terms of how users adopt the newer functionality as well as how we test the new implementation. Notably, the existing functionality for LB is already tested in CI and one of the aspects of this switch is to provide the same features as before at a baseline, while addressing tech debt and preparing the code for future extension. This is different from the past examples I was thinking about such as some of the policy / identity related changes or how we encode packets with the expectation that the receiver (on older versions) can successfully handle the traffic. |
|
This seems like it should be promoted to |
github-merge-queue bot
pushed a commit
to chezmoidotsh/arcane
that referenced
this pull request
Jul 29, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | HelmChart | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/chezmoidotsh/arcane). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidHlwZTogZGVwZW5kZW5jaWVzIl19-->
renovate bot
added a commit
to lambchop4prez/network
that referenced
this pull request
Jul 29, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | helm_release | minor | `1.17.6` -> `1.18.0` | | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lambchop4prez/network). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
nicolerenee
pushed a commit
to nicolerenee/infra
that referenced
this pull request
Jul 29, 2025
…ilium ( 1.17.6 → 1.18.0 ) (#709) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/home-operations/charts-mirror/cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (ghcr.io/home-operations/charts-mirror/cilium)</summary> ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40NS4wIiwidXBkYXRlZEluVmVyIjoiNDEuNDUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9taW5vciJdfQ==--> Co-authored-by: bot-nicole[bot] <205127124+bot-nicole[bot]@users.noreply.github.com>
renovate bot
added a commit
to rupaschomaker/home-cluster
that referenced
this pull request
Jul 30, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/rupaschomaker/home-cluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9taW5vciJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Jul 30, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](cilium/cilium@1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](cilium/cilium#38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](cilium/cilium#37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](cilium/cilium#37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](cilium/cilium#39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](cilium/cilium#36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](cilium/cilium#38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](cilium/cilium#39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](cilium/cilium#38296), [cilium/cilium#39497](cilium/cilium#39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](cilium/cilium#39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](cilium/cilium#38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](cilium/cilium#38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](cilium/cilium#38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](cilium/cilium#39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](cilium/cilium#39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](cilium/cilium#37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](cilium/cilium#39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](cilium/cilium#36492), [cilium/cilium#37445](cilium/cilium#37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](cilium/cilium#40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](cilium/cilium#40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](cilium/cilium#39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](cilium/cilium#40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](cilium/cilium#38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](cilium/cilium#36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](cilium/cilium#37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](cilium/cilium#36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](cilium/cilium#37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](cilium/cilium#38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](cilium/cilium#36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](cilium/cilium#36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](cilium/cilium#38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](cilium/cilium#39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](cilium/cilium#37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](cilium/cilium#40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](cilium/cilium#39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](cilium/cilium#39124), [cilium/cilium#40175](cilium/cilium#40175), [cilium/cilium#39632](cilium/cilium#39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](cilium/cilium#38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](cilium/cilium#38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](cilium/cilium#39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](cilium/cilium#37792), [cilium/cilium#37402](cilium/cilium#37402), [cilium/cilium#40138](cilium/cilium#40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](cilium/cilium#39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](cilium/cilium#37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](cilium/cilium#39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](cilium/cilium#39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](cilium/cilium#39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](cilium/cilium#38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](cilium/cilium#37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](cilium/cilium#36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](cilium/cilium#36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](cilium/cilium#38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](cilium/cilium#37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](cilium/cilium#40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](cilium/cilium#38480), [cilium/cilium#39642](cilium/cilium#39642), [cilium/cilium#37418](cilium/cilium#37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1062 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
enchantednatures
pushed a commit
to enchantednatures/HomeCluster
that referenced
this pull request
Aug 5, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/enchantednatures/HomeCluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40Ni4zIiwidXBkYXRlZEluVmVyIjoiNDEuNDYuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
spiceratops
added a commit
to spiceratops/k8s-gitops
that referenced
this pull request
Aug 20, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | HelmChart | minor | `1.17.7` -> `1.18.1` | | [cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | | minor | `1.17.7` -> `1.18.1` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.1): 1.18.1 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.18.0...1.18.1) ## Summary of Changes **Minor Changes:** - Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled` and `kubernetes_version` feature metrics. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41003](https://redirect.github.com/cilium/cilium/issues/41003), [@​aanm](https://redirect.github.com/aanm)) - eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40852](https://redirect.github.com/cilium/cilium/issues/40852), [@​marseel](https://redirect.github.com/marseel)) - kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40920](https://redirect.github.com/cilium/cilium/issues/40920), [@​marseel](https://redirect.github.com/marseel)) - operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40322](https://redirect.github.com/cilium/cilium/issues/40322), [@​marseel](https://redirect.github.com/marseel)) **Bugfixes:** - Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. ([#​41116](https://redirect.github.com/cilium/cilium/issues/41116), [@​joamaki](https://redirect.github.com/joamaki)) - aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40656](https://redirect.github.com/cilium/cilium/issues/40656), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - clustermesh: fix regression possibly causing cross-cluster connections disruption if the clustermesh-apiserver is restarted at the same time as Cilium agents. (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40786](https://redirect.github.com/cilium/cilium/issues/40786), [@​giorio94](https://redirect.github.com/giorio94)) - clustermesh: fix regression preventing global services with unnamed ports from including remote backends (Backport PR [#​40865](https://redirect.github.com/cilium/cilium/issues/40865), Upstream PR [#​40848](https://redirect.github.com/cilium/cilium/issues/40848), [@​giorio94](https://redirect.github.com/giorio94)) - Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40791](https://redirect.github.com/cilium/cilium/issues/40791), [@​christarazi](https://redirect.github.com/christarazi)) - Fix skipping of LoadBalancer services when IPMode is not set to VIP (KEP-1860) (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40915](https://redirect.github.com/cilium/cilium/issues/40915), [@​joamaki](https://redirect.github.com/joamaki)) - fix([GH-37724](https://redirect.github.com/cilium/cilium/issues/37724)): Sync policies on startup (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40357](https://redirect.github.com/cilium/cilium/issues/40357), [@​anubhabMajumdar](https://redirect.github.com/anubhabMajumdar)) - fix: create policy snapshot only for sdp (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40785](https://redirect.github.com/cilium/cilium/issues/40785), [@​vipul-21](https://redirect.github.com/vipul-21)) - Fixes a bug where the Cilium agent may segfault when starting. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40824](https://redirect.github.com/cilium/cilium/issues/40824), [@​squeed](https://redirect.github.com/squeed)) - Fixes an error where the Ingress controller, when run in host network, created an invalid Service. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40232](https://redirect.github.com/cilium/cilium/issues/40232), [@​rtheobald](https://redirect.github.com/rtheobald)) - helm: Create envoy-config ConfigMap for preflight (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40875](https://redirect.github.com/cilium/cilium/issues/40875), [@​sayboras](https://redirect.github.com/sayboras)) - install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41021](https://redirect.github.com/cilium/cilium/issues/41021), [@​aanm](https://redirect.github.com/aanm)) - loadbalancer: Fix backend state in REST API (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40780](https://redirect.github.com/cilium/cilium/issues/40780), [@​mhofstetter](https://redirect.github.com/mhofstetter)) **CI Changes:** - .github/actions: only upload files with features-tested prefix (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40975](https://redirect.github.com/cilium/cilium/issues/40975), [@​aanm](https://redirect.github.com/aanm)) - Add TESTOWNERS file ([#​40864](https://redirect.github.com/cilium/cilium/issues/40864), [@​joestringer](https://redirect.github.com/joestringer)) - ci: Add Cleanup Disk space step into conformance-runtime (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40973](https://redirect.github.com/cilium/cilium/issues/40973), [@​rastislavs](https://redirect.github.com/rastislavs)) - ci: Fix CI-Fuzz Build failures (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40728](https://redirect.github.com/cilium/cilium/issues/40728), [@​lomackie](https://redirect.github.com/lomackie)) - ci: Reuse connectivity test flags in proxy-embedded (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41036](https://redirect.github.com/cilium/cilium/issues/41036), [@​joestringer](https://redirect.github.com/joestringer)) - endpoint: Avoid unnecessarily logging a warning during endpoint deletion (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40927](https://redirect.github.com/cilium/cilium/issues/40927), [@​christarazi](https://redirect.github.com/christarazi)) - Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40725](https://redirect.github.com/cilium/cilium/issues/40725), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40776](https://redirect.github.com/cilium/cilium/issues/40776), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - ipsec: fix privileged tests (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41006](https://redirect.github.com/cilium/cilium/issues/41006), [@​smagnani96](https://redirect.github.com/smagnani96)) - tools/testowners: de-duplicate error logs (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40778](https://redirect.github.com/cilium/cilium/issues/40778), [@​tklauser](https://redirect.github.com/tklauser)) - workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40881](https://redirect.github.com/cilium/cilium/issues/40881), [@​smagnani96](https://redirect.github.com/smagnani96)) **Misc Changes:** - .github/workflows: bump build-images-base timeout to 60 minutes (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40919](https://redirect.github.com/cilium/cilium/issues/40919), [@​aanm](https://redirect.github.com/aanm)) - .github/workflows: print open file descriptors (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40941](https://redirect.github.com/cilium/cilium/issues/40941), [@​aanm](https://redirect.github.com/aanm)) - .github: fix removal of all files in /mnt (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40818](https://redirect.github.com/cilium/cilium/issues/40818), [@​aanm](https://redirect.github.com/aanm)) - .github: remove all contents of /mnt in build images CI (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40814](https://redirect.github.com/cilium/cilium/issues/40814), [@​aanm](https://redirect.github.com/aanm)) - chore(deps): update actions/download-artifact action to v5 (v1.18) ([#​41055](https://redirect.github.com/cilium/cilium/issues/41055), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​40901](https://redirect.github.com/cilium/cilium/issues/40901), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​41056](https://redirect.github.com/cilium/cilium/issues/41056), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​40900](https://redirect.github.com/cilium/cilium/issues/40900), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18) ([#​40898](https://redirect.github.com/cilium/cilium/issues/40898), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.6 (v1.18) ([#​40993](https://redirect.github.com/cilium/cilium/issues/40993), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​40899](https://redirect.github.com/cilium/cilium/issues/40899), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​41054](https://redirect.github.com/cilium/cilium/issues/41054), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - ci: add/change runner labels (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40972](https://redirect.github.com/cilium/cilium/issues/40972), [@​Artyop](https://redirect.github.com/Artyop)) - daemon/test: explicitly wait for identities synchronization (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40811](https://redirect.github.com/cilium/cilium/issues/40811), [@​giorio94](https://redirect.github.com/giorio94)) - docs: Remove references to v1.15 (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41033](https://redirect.github.com/cilium/cilium/issues/41033), [@​joestringer](https://redirect.github.com/joestringer)) - Fix loadbalancer handling of backends with ClusterID set (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40968](https://redirect.github.com/cilium/cilium/issues/40968), [@​giorio94](https://redirect.github.com/giorio94)) - Fix race condition issues (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40949](https://redirect.github.com/cilium/cilium/issues/40949), [@​aanm](https://redirect.github.com/aanm)) - fix(deps): update module github.com/docker/docker to v28.3.3+incompatible \[security] (v1.18) ([#​40793](https://redirect.github.com/cilium/cilium/issues/40793), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - loadbalancer: Raise default retry duration to 1 second (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40997](https://redirect.github.com/cilium/cilium/issues/40997), [@​joamaki](https://redirect.github.com/joamaki)) - loadbalancer: Use unique for L3n4Addr (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40633](https://redirect.github.com/cilium/cilium/issues/40633), [@​joamaki](https://redirect.github.com/joamaki)) - Makefile: Fix multi codeowner detection (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40923](https://redirect.github.com/cilium/cilium/issues/40923), [@​joestringer](https://redirect.github.com/joestringer)) - Reduced memory usage by roughly 10% for large EndpointSlices by sharing identical objects. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40987](https://redirect.github.com/cilium/cilium/issues/40987), [@​joamaki](https://redirect.github.com/joamaki)) - values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40625](https://redirect.github.com/cilium/cilium/issues/40625), [@​alagoutte](https://redirect.github.com/alagoutte)) - vendor: Bump to StateDB v0.4.5 (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40783](https://redirect.github.com/cilium/cilium/issues/40783), [@​joamaki](https://redirect.github.com/joamaki)) **Other Changes:** - ci: reduce gke failures ([#​41070](https://redirect.github.com/cilium/cilium/issues/41070), [@​brlbil](https://redirect.github.com/brlbil)) - install: Update image digests for v1.18.0 ([#​40782](https://redirect.github.com/cilium/cilium/issues/40782), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.1@​sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9` `quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.1@​sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb` `quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.1@​sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3` `quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.1@​sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0` `quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.1@​sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a` `quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.1@​sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042` `quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.1@​sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06` `quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.1@​sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc` `quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc` ##### operator `quay.io/cilium/operator:v1.18.1@​sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e` `quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e` ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.7...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): ##### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) ##### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) ##### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) ##### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) ##### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) ##### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) ##### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) ##### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) ##### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) ##### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community ##### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40NS4wIiwidXBkYXRlZEluVmVyIjoiNDEuODEuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=-->
zocimek
pushed a commit
to zocimek/home-ops
that referenced
this pull request
Aug 25, 2025
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.5`
-> `1.18.1` |
---
### Release Notes
<details>
<summary>cilium/cilium (cilium)</summary>
###
[`v1.18.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.1):
1.18.1
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.0...1.18.1)
## Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
- eni: improve logging and speed up ipam reconciliation in case of node
scale-downs (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40852](https://redirect.github.com/cilium/cilium/issues/40852),
[@​marseel](https://redirect.github.com/marseel))
- kvstore: Cilium Agent no longer fails health-check if operator is
unavailable (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40920](https://redirect.github.com/cilium/cilium/issues/40920),
[@​marseel](https://redirect.github.com/marseel))
- operator: CRDs are updated in series instead of in parallel now during
Cilium upgrades. This should lower the pressure on the k8s control plane
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40322](https://redirect.github.com/cilium/cilium/issues/40322),
[@​marseel](https://redirect.github.com/marseel))
**Bugfixes:**
- Add missing safeguards to topology-aware routing: use all backends
when no suitable one matching the zone hints are found or a backend
exists without a zone hint.
([#​41116](https://redirect.github.com/cilium/cilium/issues/41116),
[@​joamaki](https://redirect.github.com/joamaki))
- aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40656](https://redirect.github.com/cilium/cilium/issues/40656),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- clustermesh: fix regression possibly causing cross-cluster connections
disruption if the clustermesh-apiserver is restarted at the same time as
Cilium agents. (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40786](https://redirect.github.com/cilium/cilium/issues/40786),
[@​giorio94](https://redirect.github.com/giorio94))
- clustermesh: fix regression preventing global services with unnamed
ports from including remote backends (Backport PR
[#​40865](https://redirect.github.com/cilium/cilium/issues/40865),
Upstream PR
[#​40848](https://redirect.github.com/cilium/cilium/issues/40848),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix bug where the presence of a label called "ingress" causes
incorrect assignment of identities to workloads, affecting policy
enforcement. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40791](https://redirect.github.com/cilium/cilium/issues/40791),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix skipping of LoadBalancer services when IPMode is not set to VIP
(KEP-1860) (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40915](https://redirect.github.com/cilium/cilium/issues/40915),
[@​joamaki](https://redirect.github.com/joamaki))
-
fix([GH-37724](https://redirect.github.com/cilium/cilium/issues/37724)):
Sync policies on startup (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40357](https://redirect.github.com/cilium/cilium/issues/40357),
[@​anubhabMajumdar](https://redirect.github.com/anubhabMajumdar))
- fix: create policy snapshot only for sdp (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40785](https://redirect.github.com/cilium/cilium/issues/40785),
[@​vipul-21](https://redirect.github.com/vipul-21))
- Fixes a bug where the Cilium agent may segfault when starting.
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40824](https://redirect.github.com/cilium/cilium/issues/40824),
[@​squeed](https://redirect.github.com/squeed))
- Fixes an error where the Ingress controller, when run in host network,
created an invalid Service. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40232](https://redirect.github.com/cilium/cilium/issues/40232),
[@​rtheobald](https://redirect.github.com/rtheobald))
- helm: Create envoy-config ConfigMap for preflight (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40875](https://redirect.github.com/cilium/cilium/issues/40875),
[@​sayboras](https://redirect.github.com/sayboras))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- loadbalancer: Fix backend state in REST API (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40780](https://redirect.github.com/cilium/cilium/issues/40780),
[@​mhofstetter](https://redirect.github.com/mhofstetter))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- Add TESTOWNERS file
([#​40864](https://redirect.github.com/cilium/cilium/issues/40864),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: Add Cleanup Disk space step into conformance-runtime (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40973](https://redirect.github.com/cilium/cilium/issues/40973),
[@​rastislavs](https://redirect.github.com/rastislavs))
- ci: Fix CI-Fuzz Build failures (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40728](https://redirect.github.com/cilium/cilium/issues/40728),
[@​lomackie](https://redirect.github.com/lomackie))
- ci: Reuse connectivity test flags in proxy-embedded (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41036](https://redirect.github.com/cilium/cilium/issues/41036),
[@​joestringer](https://redirect.github.com/joestringer))
- endpoint: Avoid unnecessarily logging a warning during endpoint
deletion (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40927](https://redirect.github.com/cilium/cilium/issues/40927),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- ipsec: fix privileged tests (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41006](https://redirect.github.com/cilium/cilium/issues/41006),
[@​smagnani96](https://redirect.github.com/smagnani96))
- tools/testowners: de-duplicate error logs (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40881](https://redirect.github.com/cilium/cilium/issues/40881),
[@​smagnani96](https://redirect.github.com/smagnani96))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github/workflows: print open file descriptors (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40941](https://redirect.github.com/cilium/cilium/issues/40941),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- chore(deps): update actions/download-artifact action to v5 (v1.18)
([#​41055](https://redirect.github.com/cilium/cilium/issues/41055),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​40901](https://redirect.github.com/cilium/cilium/issues/40901),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​41056](https://redirect.github.com/cilium/cilium/issues/41056),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18)
([#​40900](https://redirect.github.com/cilium/cilium/issues/40900),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18)
([#​40898](https://redirect.github.com/cilium/cilium/issues/40898),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.18)
([#​40993](https://redirect.github.com/cilium/cilium/issues/40993),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​40899](https://redirect.github.com/cilium/cilium/issues/40899),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​41054](https://redirect.github.com/cilium/cilium/issues/41054),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- docs: Remove references to v1.15 (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41033](https://redirect.github.com/cilium/cilium/issues/41033),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix loadbalancer handling of backends with ClusterID set (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40968](https://redirect.github.com/cilium/cilium/issues/40968),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix race condition issues (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- fix(deps): update module github.com/docker/docker to
v28.3.3+incompatible \[security] (v1.18)
([#​40793](https://redirect.github.com/cilium/cilium/issues/40793),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- loadbalancer: Raise default retry duration to 1 second (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40997](https://redirect.github.com/cilium/cilium/issues/40997),
[@​joamaki](https://redirect.github.com/joamaki))
- loadbalancer: Use unique for L3n4Addr (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40633](https://redirect.github.com/cilium/cilium/issues/40633),
[@​joamaki](https://redirect.github.com/joamaki))
- Makefile: Fix multi codeowner detection (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Reduced memory usage by roughly 10% for large EndpointSlices by
sharing identical objects. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40987](https://redirect.github.com/cilium/cilium/issues/40987),
[@​joamaki](https://redirect.github.com/joamaki))
- values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40625](https://redirect.github.com/cilium/cilium/issues/40625),
[@​alagoutte](https://redirect.github.com/alagoutte))
- vendor: Bump to StateDB v0.4.5 (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40783](https://redirect.github.com/cilium/cilium/issues/40783),
[@​joamaki](https://redirect.github.com/joamaki))
**Other Changes:**
- ci: reduce gke failures
([#​41070](https://redirect.github.com/cilium/cilium/issues/41070),
[@​brlbil](https://redirect.github.com/brlbil))
- install: Update image digests for v1.18.0
([#​40782](https://redirect.github.com/cilium/cilium/issues/40782),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
#### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.18.1@​sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
`quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.18.1@​sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.18.1@​sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
`quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.18.1@​sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
`quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.18.1@​sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
`quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
##### operator-aws
`quay.io/cilium/operator-aws:v1.18.1@​sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
`quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
##### operator-azure
`quay.io/cilium/operator-azure:v1.18.1@​sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
`quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
##### operator-generic
`quay.io/cilium/operator-generic:v1.18.1@​sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
`quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
##### operator
`quay.io/cilium/operator:v1.18.1@​sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
`quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
###
[`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
1.18.0
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.7...1.18.0)
We are excited to announce the **[Cilium
1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)**
release!
A total of **3298 new commits** have been contributed to this release by
a growing community of over **955 developers** and over **22,000 GitHub
stars**! ⭐
To keep up to date with all the latest Cilium releases, see
[Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements)
Here's what's new in
[v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
#### 🚠 Networking
- **⚖️ Load Balancing Redesign**: The service load-balancing
control-plane in the Cilium agent has been redesigned to reduce memory
usage and improve future extensibility of load-balancing features
([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469),
[@​joamaki](https://redirect.github.com/joamaki))
- **🔌 Virtual Network Devices**: Added support for new virtual network
device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels
([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723),
[@​ldelossa](https://redirect.github.com/ldelossa);
[cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346),
[@​gyutaeb](https://redirect.github.com/gyutaeb))
- **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now
direct traffic towards multiple gateway nodes
([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304),
[@​carlos-abad](https://redirect.github.com/carlos-abad))
- **🚦 Ingress Rate Limiting**: The bandwidth manager now supports
ingress rate limiting
([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351),
[@​l1b0k](https://redirect.github.com/l1b0k))
- **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature
now supports multiple devices
([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more
resilient through a new system that reconciles desired neighbor entries
with the kernel state
([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
#### 🌐 IPv6
- **🚇 Tunneling Underlay**: The tunneling datapath mode now supports
using an IPv6 network underlay, including when configured with IPsec
transparent encryption
([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296),
[cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **💬 Kube Proxy Replacement**: Cilium now implements service
translation when running on an IPv6 underlay
([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **📋 Delegated IPAM**: When delegating IP address management to a third
party plugin, Cilium now configures IPv6 routes for connectivity if the
plugin supports IPv6
([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249),
[@​caorui-io](https://redirect.github.com/caorui-io),
[@​kadevu](https://redirect.github.com/kadevu))
- **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments
to apply policy and routing functionality
([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110),
[@​gentoo-root](https://redirect.github.com/gentoo-root))
- **🚪 Egress gateway policies** can now match IPv6 address ranges
([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452),
[@​rgo3](https://redirect.github.com/rgo3))
#### 🛡️ Policy & Observability
- **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that
allowed or denied traffic when monitoring flows in Hubble
([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453),
[@​antonipp](https://redirect.github.com/antonipp))
- **📝 Policy Log Fields**: A new free-text log field is added to
policies, which is exposed in Hubble flows for easy correlation and
searching
([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902),
[@​squeed](https://redirect.github.com/squeed))
- **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated
traffic for deeper introspection into traffic flows
([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634),
[@​kaworu](https://redirect.github.com/kaworu))
- **🏰 ClusterMesh Policy Restriction**: A new option allows the
**cluster** entity to apply only to the local cluster in ClusterMesh
environment
([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium
Grafana dashboard has been improved to show more relevant graphs,
including policy drops in both directions
([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492),
[cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445),
[@​squeed](https://redirect.github.com/squeed))
#### 🌅 Performance
- **📊 Scale Test Results**: Cilium implements policies and services up
to 45% faster in higher scale environments (Various;
[@​marseel](https://redirect.github.com/marseel),
[cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227))
- **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on
arm64 architecture images
([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005),
[@​marseel](https://redirect.github.com/marseel))
- **⚡ Improved Policy Performance**: The DNS proxy can process large
numbers of IPs faster, and the EndpointSelector match implementation has
been optimized
([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340),
[@​squeed](https://redirect.github.com/squeed);
[cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414),
[@​marseel](https://redirect.github.com/marseel))
- **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh
mirrors EndpointSlice from the local cluster instead of copying the
Service selectors when using the MCS-API controller
([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is
optimized by only synchronizing identities keyed by ID, not by value
([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- **🧠 Egress Gateway Processing**: Egress gateway policy processing is
significantly improved when matching a large number of pods
([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714),
[@​giorio94](https://redirect.github.com/giorio94))
- **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium
leverages batched iterators for CTMap GC
([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
#### ⚙️ Operations
- **📈 API Server Connections at Scale**: Improve kube-apiserver
connections behavior at scale through failover and setting better jitter
and backoff configurations
([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601),
[@​aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031),
[@​orange30](https://redirect.github.com/orange30);
[cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648),
[@​wedaly](https://redirect.github.com/wedaly))
- **🔄 ConfigMap Synchronization**: New option to automatically
synchronize ConfigMap changes into the agent and report metrics for when
the effective configuration is different from the desired configuration
([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510),
[@​ovidiutirla](https://redirect.github.com/ovidiutirla))
- **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**,
**CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API
([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940),
[@​christarazi](https://redirect.github.com/christarazi);
[cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090),
[@​pippolo84](https://redirect.github.com/pippolo84);
[cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765),
[@​rastislavs](https://redirect.github.com/rastislavs))
- **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new
default set of taints which avoids deploying to a drained node
([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137),
[@​Murat](https://redirect.github.com/Murat) Parlakisik)
- **:wood: Migrate to Slog**: Cilium now uses slog as log library for
all components
([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664),
[@​aanm](https://redirect.github.com/aanm))
- **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy
v1.34, LLVM 19.1, and CNI v1.1
([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124),
[cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175),
[cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632),
[@​sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868),
[@​squeed](https://redirect.github.com/squeed))
- **🐧 Minimum Linux Requirements**: The minimum kernel version for this
release series is Linux v5.10 or similar, such as RHEL 8.6
([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308),
[@​julianwiedmann](https://redirect.github.com/julianwiedmann))
#### 🕸️ Service Mesh & Gateway API
- **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0
([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590),
[@​sayboras](https://redirect.github.com/sayboras))
- **🔗 Improved GatewayClass Configuration**: The new
CiliumGatewayClassConfig object adds service type validation allows the
configuration of extra settings on a per-GatewayClass level:
LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium
to reconcile multiple GatewayClasses with different configurations
([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792),
[cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402),
[cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138),
[@​sayboras](https://redirect.github.com/sayboras))
- **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching
multiple HTTPRoutes to the same Service
([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922),
[@​youngnick](https://redirect.github.com/youngnick))
- **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all
changes to routes. This allows label updates to trigger reconciliation
correctly, amongst other things
([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798),
[@​sayboras](https://redirect.github.com/sayboras))
#### 🏷️ IP Address Management
- **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal
instances is now supported natively in Cilium's AWS ENI IPAM mode
([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678),
[@​41ks](https://redirect.github.com/41ks))
- **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in
external KVstore mode
([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode
with IPSec transparent encryption in tunnel routing mode
([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in
multi-pool IPAM mode
([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483),
[@​pippolo84](https://redirect.github.com/pippolo84))
#### 🛣️ BGP
- **📇 Route Aggregation**: Add support for BGP route aggregation in the
control plane
([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275),
[@​romanspb80](https://redirect.github.com/romanspb80))
- **🎯 Overlapping Selector Matches**: Support overlapping selector
matches in **CiliumBGPAdvertisement** resources
([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414),
[@​dswaffordcw](https://redirect.github.com/dswaffordcw))
- **🆔 New Router ID generation modes**: Generate router-id based on MAC
addresses, or from an IP address pool
([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451),
[@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi);
[cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300),
[@​liyihuang](https://redirect.github.com/liyihuang))
#### 🧑💻 Development Experience
- **🧪 Test attribution**: Identify owners of test in GitHub workflow
results to make it easier to connect with other developers on tricky
problems
([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027),
[@​Joe](https://redirect.github.com/Joe) Stringer)
- **🛏️ Policy REST API**: The Cilium policy API exposed over a local
unix socket is deprecated. The other mechanisms to configure policy via
Kubernetes resources or the local filesystem are preferred
([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212),
[@​squeed](https://redirect.github.com/squeed))
- **🏗️ Feature Deprecation**: Deprecate underused features like Custom
Calls, Recorder API and External Workloads
([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480),
[cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642),
[cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418),
[@​brb](https://redirect.github.com/brb))
#### 🏢 Community
- **❤️ Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus
Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner
Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB
Schenker](https://www.cncf.io/case-studies/db-schenker/),
[eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY),
[ECCO](https://www.cncf.io/case-studies/ecco/),
[G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social
Network
Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/),
and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M)
- **🇬🇧 London Events**: The community gathered at
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU)
in London
- **🇺🇸 Atlanta Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/)
and Cilium Developers Summit in Atlanta, Georgia
- **👥 SIG Community Meetings**: [SIG
Community](https://redirect.github.com/cilium/community/tree/main/sig-community)
now meets every first and third Thursday to foster, grow, and sustain
the Cilium open source community
#### 📔 Full CHANGELOG
- Full CHANGELOG.md can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md).
And finally, we would like to thank you to all contributors of Cilium
that helped directly and indirectly with the project. The success of
Cilium could not happen without all of you. ❤️ :people\_holding\_hands:
❤️
###
[`v1.17.7`](https://redirect.github.com/cilium/cilium/releases/tag/v1.17.7):
1.17.7
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.17.7)
## Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
**Bugfixes:**
- Added cleanup of deprecated cilium\_policy\_v1 maps (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​39400](https://redirect.github.com/cilium/cilium/issues/39400),
[@​pasteley](https://redirect.github.com/pasteley))
- bgp: Use private fork of the GoBGP to fix BGP MD5 auth (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40566](https://redirect.github.com/cilium/cilium/issues/40566),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- bpf/nat: fix header offset while reverse nat-ing icmp6 pkt too big.
(Backport PR
[#​40387](https://redirect.github.com/cilium/cilium/issues/40387),
Upstream PR
[#​40002](https://redirect.github.com/cilium/cilium/issues/40002),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- Enable protocol differentiation by default on the operator, matching
the agent
([#​40643](https://redirect.github.com/cilium/cilium/issues/40643),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- Fix a bug where Cilium leaks stale routes when IPsec is enabled.
(Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40653](https://redirect.github.com/cilium/cilium/issues/40653),
[@​pippolo84](https://redirect.github.com/pippolo84))
- fix(helm): fix values.schema.json types for
bpf.events.default.{rateLimit,burstLimit} (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40543](https://redirect.github.com/cilium/cilium/issues/40543),
[@​vchirikov](https://redirect.github.com/vchirikov))
- fix: kube-proxy healthz panic on port 10256
([#​40590](https://redirect.github.com/cilium/cilium/issues/40590),
[@​tamilmani1989](https://redirect.github.com/tamilmani1989))
- Helm: Correct seccompProfile for cilium-agent pods (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40476](https://redirect.github.com/cilium/cilium/issues/40476),
[@​jcpunk](https://redirect.github.com/jcpunk))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- pkg/ipam: fix multi-pool allocator not releasing un-used /32 and /128
CIDRs (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40393](https://redirect.github.com/cilium/cilium/issues/40393),
[@​alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))
- service: Only set algorithm annotation when requested
([#​40845](https://redirect.github.com/cilium/cilium/issues/40845),
[@​tsotne95](https://redirect.github.com/tsotne95))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- .github: Don't overwrite junit results (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39159](https://redirect.github.com/cilium/cilium/issues/39159),
[@​joestringer](https://redirect.github.com/joestringer))
- .github: Run final steps when tests aren't skipped (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40180](https://redirect.github.com/cilium/cilium/issues/40180),
[@​joestringer](https://redirect.github.com/joestringer))
- \[v1.17] .github: Remove use of cosign attest --recursive
([#​40699](https://redirect.github.com/cilium/cilium/issues/40699),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- \[v1.17] ci: Revert build\_commits runner to ubuntu-22.04
([#​40837](https://redirect.github.com/cilium/cilium/issues/40837),
[@​rastislavs](https://redirect.github.com/rastislavs))
- builder: Add tparse,junit tooling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39092](https://redirect.github.com/cilium/cilium/issues/39092),
[@​joestringer](https://redirect.github.com/joestringer))
- Centralize dynamic test ownership configuration (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38045](https://redirect.github.com/cilium/cilium/issues/38045),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: conformance-eks token extended to 8h (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40474](https://redirect.github.com/cilium/cilium/issues/40474),
[@​mathpl](https://redirect.github.com/mathpl))
- ci: more powerful runners for go linting (Backport PR
[#​40765](https://redirect.github.com/cilium/cilium/issues/40765),
Upstream PR
[#​40582](https://redirect.github.com/cilium/cilium/issues/40582),
[@​mathpl](https://redirect.github.com/mathpl))
- CLI: Attribute tests to codeowners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​37027](https://redirect.github.com/cilium/cilium/issues/37027),
[@​joestringer](https://redirect.github.com/joestringer))
- Emit junit output from BPF unit tests (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39099](https://redirect.github.com/cilium/cilium/issues/39099),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- pkg/egw: Add missing waitForReconciliationRun (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40355](https://redirect.github.com/cilium/cilium/issues/40355),
[@​aditighag](https://redirect.github.com/aditighag))
- spire: Fix unreliable test (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40561](https://redirect.github.com/cilium/cilium/issues/40561),
[@​joestringer](https://redirect.github.com/joestringer))
- tools/testowners: de-duplicate error logs (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- Upload junit results for Go unit test runs (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39015](https://redirect.github.com/cilium/cilium/issues/39015),
[@​joestringer](https://redirect.github.com/joestringer))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix upload artifacts for features.json
([#​41091](https://redirect.github.com/cilium/cilium/issues/41091),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove stable tag from v1.17 branches
([#​40772](https://redirect.github.com/cilium/cilium/issues/40772),
[@​aanm](https://redirect.github.com/aanm))
- certloader: Add client variants of watched TLS configs (Backport PR
[#​40624](https://redirect.github.com/cilium/cilium/issues/40624),
Upstream PR
[#​40399](https://redirect.github.com/cilium/cilium/issues/40399),
[@​devodev](https://redirect.github.com/devodev))
- chore(deps): update actions/download-artifact action to v5 (v1.17)
([#​41058](https://redirect.github.com/cilium/cilium/issues/41058),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40746](https://redirect.github.com/cilium/cilium/issues/40746),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40905](https://redirect.github.com/cilium/cilium/issues/40905),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​41059](https://redirect.github.com/cilium/cilium/issues/41059),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40744](https://redirect.github.com/cilium/cilium/issues/40744),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40984](https://redirect.github.com/cilium/cilium/issues/40984),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.17)
([#​40902](https://redirect.github.com/cilium/cilium/issues/40902),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.26
(v1.17)
([#​40646](https://redirect.github.com/cilium/cilium/issues/40646),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.5 docker digest to
[`ef5b4be`](https://redirect.github.com/cilium/cilium/commit/ef5b4be)
(v1.17)
([#​40745](https://redirect.github.com/cilium/cilium/issues/40745),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.17)
([#​40994](https://redirect.github.com/cilium/cilium/issues/40994),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.33.6-1753919866-df8077dbd3932edccb59f1c5c70e01f2c1f63741 (v1.17)
([#​40903](https://redirect.github.com/cilium/cilium/issues/40903),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40673](https://redirect.github.com/cilium/cilium/issues/40673),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40904](https://redirect.github.com/cilium/cilium/issues/40904),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​41057](https://redirect.github.com/cilium/cilium/issues/41057),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- cli: Load code owners dynamically via --code-owners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38044](https://redirect.github.com/cilium/cilium/issues/38044),
[@​joestringer](https://redirect.github.com/joestringer))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- doc:monitor: clarify direction traced with default aggregation level
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40398](https://redirect.github.com/cilium/cilium/issues/40398),
[@​smagnani96](https://redirect.github.com/smagnani96))
- docs: Add missing IPAM modes to configuration page (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40540](https://redirect.github.com/cilium/cilium/issues/40540),
[@​RayyanSeliya](https://redirect.github.com/RayyanSeliya))
- docs: Add warning about changing an IP pool (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40567](https://redirect.github.com/cilium/cilium/issues/40567),
[@​sorrison](https://redirect.github.com/sorrison))
- docs: remove l7 EnableDefaultDeny callout (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40441](https://redirect.github.com/cilium/cilium/issues/40441),
[@​squeed](https://redirect.github.com/squeed))
- Fix race condition issues (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- Makefile: Fix multi codeowner detection (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Makefile: Improve tparse,junit output handling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39098](https://redirect.github.com/cilium/cilium/issues/39098),
[@​joestringer](https://redirect.github.com/joestringer))
- Support extending cilium-agent volumes as a downstream packager
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40401](https://redirect.github.com/cilium/cilium/issues/40401),
[@​devodev](https://redirect.github.com/devodev))
- tools: Move codeowners library from cilium-cli dir (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40253](https://redirect.github.com/cilium/cilium/issues/40253),
[@​joestringer](https://redirect.github.com/joestringer))
**Other Changes:**
- Fix bug where LocalRedirectPolicy forwarding would break if you enable
`bpf-lb-algorithm-annotation`
([#​40246](https://redirect.github.com/cilium/cilium/issues/40246),
[@​tarabrind](https://redirect.github.com/tarabrind))
- images: update cilium-{runtime,builder}
([#​40839](https://redirect.github.com/cilium/cilium/issues/40839),
[@​aanm](https://redirect.github.com/aanm))
- install: Update image digests for v1.17.6
([#​40546](https://redirect.github.com/cilium/cilium/issues/40546),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
- vendor: Bump to StateDB v0.4.5
([#​40850](https://redirect.github.com/cilium/cilium/issues/40850),
[@​joamaki](https://redirect.github.com/joamaki))
#### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.17.7@​sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.17.7@​sha256:2852feca0d0d936ed0333cd64859f3c5ece2db582ba5fed848f57aff786be4a6`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.17.7@​sha256:1b7c8d64f01b309521f13ab2a15239a688b9f545bb97058d383ad3bb55e42e67`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.17.7@​sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.17.7@​sha256:271e64d6c91019a1a4815b4c78294962bf51c9f764c680fdfacb2adb6e9d0c4d`
##### operator-aws
`quay.io/cilium/operator-aws:v1.17.7@​sha256:ce37d2ccf921761a4171a507748a06a204592890e6f8cf7d1c354648e098c830`
##### operator-azure
`quay.io/cilium/operator-azure:v1.17.7@​sha256:9c1db11de2e0cdcaba522c8f396b9a643738f3d3f958fa9b4d62f57bac5daafb`
##### operator-generic
`quay.io/cilium/operator-generic:v1.17.7@​sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788`
##### operator
`quay.io/cilium/operator:v1.17.7@​sha256:122e49fce82df90693f8981e5d9013b6a9248284db17226259e39364ba9a211d`
###
[`v1.17.6`](https://redirect.github.com/cilium/cilium/releases/tag/v1.17.6):
1.17.6
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.5...1.17.6)
## Summary of Changes
**Minor Changes:**
- helm: KPR subflag changes (Backport PR
[#​40222](https://redirect.github.com/cilium/cilium/issues/40222),
Upstream PR
[#​39721](https://redirect.github.com/cilium/cilium/issues/39721),
[@​brb](https://redirect.github.com/brb))
**Bugfixes:**
- Deny policies are now synced to Envoy so that they can be enforced for
Ingress policies. (Backport PR
[#​40187](https://redirect.github.com/cilium/cilium/issues/40187),
Upstream PR
[#​39736](https://redirect.github.com/cilium/cilium/issues/39736),
[@​jrajahalme](https://redirect.github.com/jrajahalme))
- Do not fail the agent startup in case IPv6 support is enabled and the
node does not have an IPv6 address assigned yet (Backport PR
[#​40205](https://redirect.github.com/cilium/cilium/issues/40205),
Upstream PR
[#​40143](https://redirect.github.com/cilium/cilium/issues/40143),
[@​pippolo84](https://redirect.github.com/pippolo84))
- Fix bug preventing a global service from including remote backends, if
the local service has no selector, and the remote one gets removed and
then added again.
([#​40361](https://redirect.github.com/cilium/cilium/issues/40361),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix data race involving DumpReliablyWithCallback map operation.
(Backport PR
[#​40094](https://redirect.github.com/cilium/cilium/issues/40094),
Upstream PR
[#​38590](https://redirect.github.com/cilium/cilium/issues/38590),
[@​aditighag](https://redirect.github.com/aditighag))
- Fix IPAM IP release racing condition when IP reassigned back to ENI
(Backport PR
[#​40289](https://redirect.github.com/cilium/cilium/issues/40289),
Upstream PR
[#​40019](https://redirect.github.com/cilium/cilium/issues/40019),
[@​victorcq](https://redirect.github.com/victorcq))
- hubble automatically pick the `hubble-prefer-ipv6` to `true` if ipv4
not enabled (Backport PR
[#​40289](https://redirect.github.com/cilium/cilium/issues/40289),
Upstream PR
[#​40210](https://redirect.github.com/cilium/cilium/issues/40210),
[@​chengjoey](https://redirect.github.com/chengjoey))
- LBIPAM: Fix deletion of CiliumLoadBalancerIPPool with multiple IP
blocks that led to an operator crash (Backport PR
[#​40094](https://redirect.github.com/cilium/cilium/issues/40094),
Upstream PR
[#​40013](https://redirect.github.com/cilium/cilium/issues/40013),
[@​pippolo84](https://redirect.github.com/pippolo84))
- pkg/egressgateway: ensure gateway IP is IPv4 (Backport PR
[#​40332](https://redirect.github.com/cilium/cilium/issues/40332),
Upstream PR
[#​40209](https://redirect.github.com/cilium/cilium/issues/40209),
[@​rgo3](https://redirect.github.com/rgo3))
- policy: fix error handling for selector policy resolution
([#​40404](https://redirect.github.com/cilium/cilium/issues/40404),
[@​fristonio](https://redirect.github.com/fristonio))
**CI Changes:**
- ci: do not run north-south conn disrupt tests for 5.4 kernels
([#​39443](https://redirect.github.com/cilium/cilium/issues/39443),
[@​ldelossa](https://redirect.github.com/ldelossa))
- ci: fix north-south conn disrupt for 5.4 kernel
([#​40434](https://redirect.github.com/cilium/cilium/issues/40434),
[@​smagnani96](https://redirect.github.com/smagnani96))
**Misc Changes:**
- .github/workflows: remove reviewers if ciliumbot approved PR (Backport
PR
[#​40094](https://redirect.github.com/cilium/cilium/issues/40094),
Upstream PR
[#​39989](https://redirect.github.com/cilium/cilium/issues/39989),
[@​aanm](https://redirect.github.com/aanm))
- auto-approve: add repository as part command (Backport PR
[#​40094](https://redirect.github.com/cilium/cilium/issues/40094),
Upstream PR
[#​40050](https://redirect.github.com/cilium/cilium/issues/40050),
[@​aanm](https://redirect.github.com/aanm))
- auto-approve: add repository as part command (Backport PR [#R
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/zocimek/home-ops).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4yMy4yIiwidXBkYXRlZEluVmVyIjoiNDEuNzEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
zocimek
pushed a commit
to zocimek/home-ops
that referenced
this pull request
Aug 25, 2025
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.6`
-> `1.18.1` |
---
### Release Notes
<details>
<summary>cilium/cilium (cilium)</summary>
###
[`v1.18.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.1):
1.18.1
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.0...1.18.1)
## Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
- eni: improve logging and speed up ipam reconciliation in case of node
scale-downs (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40852](https://redirect.github.com/cilium/cilium/issues/40852),
[@​marseel](https://redirect.github.com/marseel))
- kvstore: Cilium Agent no longer fails health-check if operator is
unavailable (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40920](https://redirect.github.com/cilium/cilium/issues/40920),
[@​marseel](https://redirect.github.com/marseel))
- operator: CRDs are updated in series instead of in parallel now during
Cilium upgrades. This should lower the pressure on the k8s control plane
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40322](https://redirect.github.com/cilium/cilium/issues/40322),
[@​marseel](https://redirect.github.com/marseel))
**Bugfixes:**
- Add missing safeguards to topology-aware routing: use all backends
when no suitable one matching the zone hints are found or a backend
exists without a zone hint.
([#​41116](https://redirect.github.com/cilium/cilium/issues/41116),
[@​joamaki](https://redirect.github.com/joamaki))
- aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40656](https://redirect.github.com/cilium/cilium/issues/40656),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- clustermesh: fix regression possibly causing cross-cluster connections
disruption if the clustermesh-apiserver is restarted at the same time as
Cilium agents. (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40786](https://redirect.github.com/cilium/cilium/issues/40786),
[@​giorio94](https://redirect.github.com/giorio94))
- clustermesh: fix regression preventing global services with unnamed
ports from including remote backends (Backport PR
[#​40865](https://redirect.github.com/cilium/cilium/issues/40865),
Upstream PR
[#​40848](https://redirect.github.com/cilium/cilium/issues/40848),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix bug where the presence of a label called "ingress" causes
incorrect assignment of identities to workloads, affecting policy
enforcement. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40791](https://redirect.github.com/cilium/cilium/issues/40791),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix skipping of LoadBalancer services when IPMode is not set to VIP
(KEP-1860) (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40915](https://redirect.github.com/cilium/cilium/issues/40915),
[@​joamaki](https://redirect.github.com/joamaki))
-
fix([GH-37724](https://redirect.github.com/cilium/cilium/issues/37724)):
Sync policies on startup (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40357](https://redirect.github.com/cilium/cilium/issues/40357),
[@​anubhabMajumdar](https://redirect.github.com/anubhabMajumdar))
- fix: create policy snapshot only for sdp (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40785](https://redirect.github.com/cilium/cilium/issues/40785),
[@​vipul-21](https://redirect.github.com/vipul-21))
- Fixes a bug where the Cilium agent may segfault when starting.
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40824](https://redirect.github.com/cilium/cilium/issues/40824),
[@​squeed](https://redirect.github.com/squeed))
- Fixes an error where the Ingress controller, when run in host network,
created an invalid Service. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40232](https://redirect.github.com/cilium/cilium/issues/40232),
[@​rtheobald](https://redirect.github.com/rtheobald))
- helm: Create envoy-config ConfigMap for preflight (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40875](https://redirect.github.com/cilium/cilium/issues/40875),
[@​sayboras](https://redirect.github.com/sayboras))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- loadbalancer: Fix backend state in REST API (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40780](https://redirect.github.com/cilium/cilium/issues/40780),
[@​mhofstetter](https://redirect.github.com/mhofstetter))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- Add TESTOWNERS file
([#​40864](https://redirect.github.com/cilium/cilium/issues/40864),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: Add Cleanup Disk space step into conformance-runtime (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40973](https://redirect.github.com/cilium/cilium/issues/40973),
[@​rastislavs](https://redirect.github.com/rastislavs))
- ci: Fix CI-Fuzz Build failures (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40728](https://redirect.github.com/cilium/cilium/issues/40728),
[@​lomackie](https://redirect.github.com/lomackie))
- ci: Reuse connectivity test flags in proxy-embedded (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41036](https://redirect.github.com/cilium/cilium/issues/41036),
[@​joestringer](https://redirect.github.com/joestringer))
- endpoint: Avoid unnecessarily logging a warning during endpoint
deletion (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40927](https://redirect.github.com/cilium/cilium/issues/40927),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- ipsec: fix privileged tests (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41006](https://redirect.github.com/cilium/cilium/issues/41006),
[@​smagnani96](https://redirect.github.com/smagnani96))
- tools/testowners: de-duplicate error logs (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40881](https://redirect.github.com/cilium/cilium/issues/40881),
[@​smagnani96](https://redirect.github.com/smagnani96))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github/workflows: print open file descriptors (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40941](https://redirect.github.com/cilium/cilium/issues/40941),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- chore(deps): update actions/download-artifact action to v5 (v1.18)
([#​41055](https://redirect.github.com/cilium/cilium/issues/41055),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​40901](https://redirect.github.com/cilium/cilium/issues/40901),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​41056](https://redirect.github.com/cilium/cilium/issues/41056),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18)
([#​40900](https://redirect.github.com/cilium/cilium/issues/40900),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18)
([#​40898](https://redirect.github.com/cilium/cilium/issues/40898),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.18)
([#​40993](https://redirect.github.com/cilium/cilium/issues/40993),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​40899](https://redirect.github.com/cilium/cilium/issues/40899),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​41054](https://redirect.github.com/cilium/cilium/issues/41054),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- docs: Remove references to v1.15 (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41033](https://redirect.github.com/cilium/cilium/issues/41033),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix loadbalancer handling of backends with ClusterID set (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40968](https://redirect.github.com/cilium/cilium/issues/40968),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix race condition issues (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- fix(deps): update module github.com/docker/docker to
v28.3.3+incompatible \[security] (v1.18)
([#​40793](https://redirect.github.com/cilium/cilium/issues/40793),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- loadbalancer: Raise default retry duration to 1 second (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40997](https://redirect.github.com/cilium/cilium/issues/40997),
[@​joamaki](https://redirect.github.com/joamaki))
- loadbalancer: Use unique for L3n4Addr (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40633](https://redirect.github.com/cilium/cilium/issues/40633),
[@​joamaki](https://redirect.github.com/joamaki))
- Makefile: Fix multi codeowner detection (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Reduced memory usage by roughly 10% for large EndpointSlices by
sharing identical objects. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40987](https://redirect.github.com/cilium/cilium/issues/40987),
[@​joamaki](https://redirect.github.com/joamaki))
- values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40625](https://redirect.github.com/cilium/cilium/issues/40625),
[@​alagoutte](https://redirect.github.com/alagoutte))
- vendor: Bump to StateDB v0.4.5 (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40783](https://redirect.github.com/cilium/cilium/issues/40783),
[@​joamaki](https://redirect.github.com/joamaki))
**Other Changes:**
- ci: reduce gke failures
([#​41070](https://redirect.github.com/cilium/cilium/issues/41070),
[@​brlbil](https://redirect.github.com/brlbil))
- install: Update image digests for v1.18.0
([#​40782](https://redirect.github.com/cilium/cilium/issues/40782),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
#### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.18.1@​sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
`quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.18.1@​sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.18.1@​sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
`quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.18.1@​sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
`quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.18.1@​sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
`quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
##### operator-aws
`quay.io/cilium/operator-aws:v1.18.1@​sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
`quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
##### operator-azure
`quay.io/cilium/operator-azure:v1.18.1@​sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
`quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
##### operator-generic
`quay.io/cilium/operator-generic:v1.18.1@​sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
`quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
##### operator
`quay.io/cilium/operator:v1.18.1@​sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
`quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
###
[`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
1.18.0
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.7...1.18.0)
We are excited to announce the **[Cilium
1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)**
release!
A total of **3298 new commits** have been contributed to this release by
a growing community of over **955 developers** and over **22,000 GitHub
stars**! ⭐
To keep up to date with all the latest Cilium releases, see
[Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements)
Here's what's new in
[v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
#### 🚠 Networking
- **⚖️ Load Balancing Redesign**: The service load-balancing
control-plane in the Cilium agent has been redesigned to reduce memory
usage and improve future extensibility of load-balancing features
([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469),
[@​joamaki](https://redirect.github.com/joamaki))
- **🔌 Virtual Network Devices**: Added support for new virtual network
device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels
([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723),
[@​ldelossa](https://redirect.github.com/ldelossa);
[cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346),
[@​gyutaeb](https://redirect.github.com/gyutaeb))
- **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now
direct traffic towards multiple gateway nodes
([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304),
[@​carlos-abad](https://redirect.github.com/carlos-abad))
- **🚦 Ingress Rate Limiting**: The bandwidth manager now supports
ingress rate limiting
([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351),
[@​l1b0k](https://redirect.github.com/l1b0k))
- **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature
now supports multiple devices
([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more
resilient through a new system that reconciles desired neighbor entries
with the kernel state
([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
#### 🌐 IPv6
- **🚇 Tunneling Underlay**: The tunneling datapath mode now supports
using an IPv6 network underlay, including when configured with IPsec
transparent encryption
([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296),
[cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **💬 Kube Proxy Replacement**: Cilium now implements service
translation when running on an IPv6 underlay
([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **📋 Delegated IPAM**: When delegating IP address management to a third
party plugin, Cilium now configures IPv6 routes for connectivity if the
plugin supports IPv6
([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249),
[@​caorui-io](https://redirect.github.com/caorui-io),
[@​kadevu](https://redirect.github.com/kadevu))
- **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments
to apply policy and routing functionality
([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110),
[@​gentoo-root](https://redirect.github.com/gentoo-root))
- **🚪 Egress gateway policies** can now match IPv6 address ranges
([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452),
[@​rgo3](https://redirect.github.com/rgo3))
#### 🛡️ Policy & Observability
- **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that
allowed or denied traffic when monitoring flows in Hubble
([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453),
[@​antonipp](https://redirect.github.com/antonipp))
- **📝 Policy Log Fields**: A new free-text log field is added to
policies, which is exposed in Hubble flows for easy correlation and
searching
([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902),
[@​squeed](https://redirect.github.com/squeed))
- **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated
traffic for deeper introspection into traffic flows
([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634),
[@​kaworu](https://redirect.github.com/kaworu))
- **🏰 ClusterMesh Policy Restriction**: A new option allows the
**cluster** entity to apply only to the local cluster in ClusterMesh
environment
([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium
Grafana dashboard has been improved to show more relevant graphs,
including policy drops in both directions
([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492),
[cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445),
[@​squeed](https://redirect.github.com/squeed))
#### 🌅 Performance
- **📊 Scale Test Results**: Cilium implements policies and services up
to 45% faster in higher scale environments (Various;
[@​marseel](https://redirect.github.com/marseel),
[cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227))
- **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on
arm64 architecture images
([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005),
[@​marseel](https://redirect.github.com/marseel))
- **⚡ Improved Policy Performance**: The DNS proxy can process large
numbers of IPs faster, and the EndpointSelector match implementation has
been optimized
([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340),
[@​squeed](https://redirect.github.com/squeed);
[cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414),
[@​marseel](https://redirect.github.com/marseel))
- **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh
mirrors EndpointSlice from the local cluster instead of copying the
Service selectors when using the MCS-API controller
([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is
optimized by only synchronizing identities keyed by ID, not by value
([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- **🧠 Egress Gateway Processing**: Egress gateway policy processing is
significantly improved when matching a large number of pods
([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714),
[@​giorio94](https://redirect.github.com/giorio94))
- **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium
leverages batched iterators for CTMap GC
([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
#### ⚙️ Operations
- **📈 API Server Connections at Scale**: Improve kube-apiserver
connections behavior at scale through failover and setting better jitter
and backoff configurations
([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601),
[@​aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031),
[@​orange30](https://redirect.github.com/orange30);
[cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648),
[@​wedaly](https://redirect.github.com/wedaly))
- **🔄 ConfigMap Synchronization**: New option to automatically
synchronize ConfigMap changes into the agent and report metrics for when
the effective configuration is different from the desired configuration
([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510),
[@​ovidiutirla](https://redirect.github.com/ovidiutirla))
- **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**,
**CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API
([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940),
[@​christarazi](https://redirect.github.com/christarazi);
[cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090),
[@​pippolo84](https://redirect.github.com/pippolo84);
[cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765),
[@​rastislavs](https://redirect.github.com/rastislavs))
- **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new
default set of taints which avoids deploying to a drained node
([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137),
[@​Murat](https://redirect.github.com/Murat) Parlakisik)
- **:wood: Migrate to Slog**: Cilium now uses slog as log library for
all components
([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664),
[@​aanm](https://redirect.github.com/aanm))
- **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy
v1.34, LLVM 19.1, and CNI v1.1
([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124),
[cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175),
[cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632),
[@​sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868),
[@​squeed](https://redirect.github.com/squeed))
- **🐧 Minimum Linux Requirements**: The minimum kernel version for this
release series is Linux v5.10 or similar, such as RHEL 8.6
([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308),
[@​julianwiedmann](https://redirect.github.com/julianwiedmann))
#### 🕸️ Service Mesh & Gateway API
- **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0
([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590),
[@​sayboras](https://redirect.github.com/sayboras))
- **🔗 Improved GatewayClass Configuration**: The new
CiliumGatewayClassConfig object adds service type validation allows the
configuration of extra settings on a per-GatewayClass level:
LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium
to reconcile multiple GatewayClasses with different configurations
([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792),
[cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402),
[cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138),
[@​sayboras](https://redirect.github.com/sayboras))
- **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching
multiple HTTPRoutes to the same Service
([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922),
[@​youngnick](https://redirect.github.com/youngnick))
- **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all
changes to routes. This allows label updates to trigger reconciliation
correctly, amongst other things
([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798),
[@​sayboras](https://redirect.github.com/sayboras))
#### 🏷️ IP Address Management
- **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal
instances is now supported natively in Cilium's AWS ENI IPAM mode
([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678),
[@​41ks](https://redirect.github.com/41ks))
- **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in
external KVstore mode
([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode
with IPSec transparent encryption in tunnel routing mode
([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in
multi-pool IPAM mode
([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483),
[@​pippolo84](https://redirect.github.com/pippolo84))
#### 🛣️ BGP
- **📇 Route Aggregation**: Add support for BGP route aggregation in the
control plane
([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275),
[@​romanspb80](https://redirect.github.com/romanspb80))
- **🎯 Overlapping Selector Matches**: Support overlapping selector
matches in **CiliumBGPAdvertisement** resources
([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414),
[@​dswaffordcw](https://redirect.github.com/dswaffordcw))
- **🆔 New Router ID generation modes**: Generate router-id based on MAC
addresses, or from an IP address pool
([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451),
[@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi);
[cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300),
[@​liyihuang](https://redirect.github.com/liyihuang))
#### 🧑💻 Development Experience
- **🧪 Test attribution**: Identify owners of test in GitHub workflow
results to make it easier to connect with other developers on tricky
problems
([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027),
[@​Joe](https://redirect.github.com/Joe) Stringer)
- **🛏️ Policy REST API**: The Cilium policy API exposed over a local
unix socket is deprecated. The other mechanisms to configure policy via
Kubernetes resources or the local filesystem are preferred
([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212),
[@​squeed](https://redirect.github.com/squeed))
- **🏗️ Feature Deprecation**: Deprecate underused features like Custom
Calls, Recorder API and External Workloads
([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480),
[cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642),
[cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418),
[@​brb](https://redirect.github.com/brb))
#### 🏢 Community
- **❤️ Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus
Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner
Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB
Schenker](https://www.cncf.io/case-studies/db-schenker/),
[eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY),
[ECCO](https://www.cncf.io/case-studies/ecco/),
[G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social
Network
Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/),
and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M)
- **🇬🇧 London Events**: The community gathered at
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU)
in London
- **🇺🇸 Atlanta Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/)
and Cilium Developers Summit in Atlanta, Georgia
- **👥 SIG Community Meetings**: [SIG
Community](https://redirect.github.com/cilium/community/tree/main/sig-community)
now meets every first and third Thursday to foster, grow, and sustain
the Cilium open source community
#### 📔 Full CHANGELOG
- Full CHANGELOG.md can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md).
And finally, we would like to thank you to all contributors of Cilium
that helped directly and indirectly with the project. The success of
Cilium could not happen without all of you. ❤️ :people\_holding\_hands:
❤️
###
[`v1.17.7`](https://redirect.github.com/cilium/cilium/releases/tag/v1.17.7):
1.17.7
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.17.7)
## Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
**Bugfixes:**
- Added cleanup of deprecated cilium\_policy\_v1 maps (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​39400](https://redirect.github.com/cilium/cilium/issues/39400),
[@​pasteley](https://redirect.github.com/pasteley))
- bgp: Use private fork of the GoBGP to fix BGP MD5 auth (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40566](https://redirect.github.com/cilium/cilium/issues/40566),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- bpf/nat: fix header offset while reverse nat-ing icmp6 pkt too big.
(Backport PR
[#​40387](https://redirect.github.com/cilium/cilium/issues/40387),
Upstream PR
[#​40002](https://redirect.github.com/cilium/cilium/issues/40002),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- Enable protocol differentiation by default on the operator, matching
the agent
([#​40643](https://redirect.github.com/cilium/cilium/issues/40643),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- Fix a bug where Cilium leaks stale routes when IPsec is enabled.
(Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40653](https://redirect.github.com/cilium/cilium/issues/40653),
[@​pippolo84](https://redirect.github.com/pippolo84))
- fix(helm): fix values.schema.json types for
bpf.events.default.{rateLimit,burstLimit} (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40543](https://redirect.github.com/cilium/cilium/issues/40543),
[@​vchirikov](https://redirect.github.com/vchirikov))
- fix: kube-proxy healthz panic on port 10256
([#​40590](https://redirect.github.com/cilium/cilium/issues/40590),
[@​tamilmani1989](https://redirect.github.com/tamilmani1989))
- Helm: Correct seccompProfile for cilium-agent pods (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40476](https://redirect.github.com/cilium/cilium/issues/40476),
[@​jcpunk](https://redirect.github.com/jcpunk))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- pkg/ipam: fix multi-pool allocator not releasing un-used /32 and /128
CIDRs (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40393](https://redirect.github.com/cilium/cilium/issues/40393),
[@​alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))
- service: Only set algorithm annotation when requested
([#​40845](https://redirect.github.com/cilium/cilium/issues/40845),
[@​tsotne95](https://redirect.github.com/tsotne95))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- .github: Don't overwrite junit results (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39159](https://redirect.github.com/cilium/cilium/issues/39159),
[@​joestringer](https://redirect.github.com/joestringer))
- .github: Run final steps when tests aren't skipped (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40180](https://redirect.github.com/cilium/cilium/issues/40180),
[@​joestringer](https://redirect.github.com/joestringer))
- \[v1.17] .github: Remove use of cosign attest --recursive
([#​40699](https://redirect.github.com/cilium/cilium/issues/40699),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- \[v1.17] ci: Revert build\_commits runner to ubuntu-22.04
([#​40837](https://redirect.github.com/cilium/cilium/issues/40837),
[@​rastislavs](https://redirect.github.com/rastislavs))
- builder: Add tparse,junit tooling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39092](https://redirect.github.com/cilium/cilium/issues/39092),
[@​joestringer](https://redirect.github.com/joestringer))
- Centralize dynamic test ownership configuration (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38045](https://redirect.github.com/cilium/cilium/issues/38045),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: conformance-eks token extended to 8h (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40474](https://redirect.github.com/cilium/cilium/issues/40474),
[@​mathpl](https://redirect.github.com/mathpl))
- ci: more powerful runners for go linting (Backport PR
[#​40765](https://redirect.github.com/cilium/cilium/issues/40765),
Upstream PR
[#​40582](https://redirect.github.com/cilium/cilium/issues/40582),
[@​mathpl](https://redirect.github.com/mathpl))
- CLI: Attribute tests to codeowners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​37027](https://redirect.github.com/cilium/cilium/issues/37027),
[@​joestringer](https://redirect.github.com/joestringer))
- Emit junit output from BPF unit tests (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39099](https://redirect.github.com/cilium/cilium/issues/39099),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- pkg/egw: Add missing waitForReconciliationRun (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40355](https://redirect.github.com/cilium/cilium/issues/40355),
[@​aditighag](https://redirect.github.com/aditighag))
- spire: Fix unreliable test (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40561](https://redirect.github.com/cilium/cilium/issues/40561),
[@​joestringer](https://redirect.github.com/joestringer))
- tools/testowners: de-duplicate error logs (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- Upload junit results for Go unit test runs (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39015](https://redirect.github.com/cilium/cilium/issues/39015),
[@​joestringer](https://redirect.github.com/joestringer))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix upload artifacts for features.json
([#​41091](https://redirect.github.com/cilium/cilium/issues/41091),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove stable tag from v1.17 branches
([#​40772](https://redirect.github.com/cilium/cilium/issues/40772),
[@​aanm](https://redirect.github.com/aanm))
- certloader: Add client variants of watched TLS configs (Backport PR
[#​40624](https://redirect.github.com/cilium/cilium/issues/40624),
Upstream PR
[#​40399](https://redirect.github.com/cilium/cilium/issues/40399),
[@​devodev](https://redirect.github.com/devodev))
- chore(deps): update actions/download-artifact action to v5 (v1.17)
([#​41058](https://redirect.github.com/cilium/cilium/issues/41058),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40746](https://redirect.github.com/cilium/cilium/issues/40746),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40905](https://redirect.github.com/cilium/cilium/issues/40905),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​41059](https://redirect.github.com/cilium/cilium/issues/41059),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40744](https://redirect.github.com/cilium/cilium/issues/40744),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40984](https://redirect.github.com/cilium/cilium/issues/40984),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.17)
([#​40902](https://redirect.github.com/cilium/cilium/issues/40902),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.26
(v1.17)
([#​40646](https://redirect.github.com/cilium/cilium/issues/40646),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.5 docker digest to
[`ef5b4be`](https://redirect.github.com/cilium/cilium/commit/ef5b4be)
(v1.17)
([#​40745](https://redirect.github.com/cilium/cilium/issues/40745),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.17)
([#​40994](https://redirect.github.com/cilium/cilium/issues/40994),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.33.6-1753919866-df8077dbd3932edccb59f1c5c70e01f2c1f63741 (v1.17)
([#​40903](https://redirect.github.com/cilium/cilium/issues/40903),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40673](https://redirect.github.com/cilium/cilium/issues/40673),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40904](https://redirect.github.com/cilium/cilium/issues/40904),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​41057](https://redirect.github.com/cilium/cilium/issues/41057),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- cli: Load code owners dynamically via --code-owners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38044](https://redirect.github.com/cilium/cilium/issues/38044),
[@​joestringer](https://redirect.github.com/joestringer))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- doc:monitor: clarify direction traced with default aggregation level
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40398](https://redirect.github.com/cilium/cilium/issues/40398),
[@​smagnani96](https://redirect.github.com/smagnani96))
- docs: Add missing IPAM modes to configuration page (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40540](https://redirect.github.com/cilium/cilium/issues/40540),
[@​RayyanSeliya](https://redirect.github.com/RayyanSeliya))
- docs: Add warning about changing an IP pool (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40567](https://redirect.github.com/cilium/cilium/issues/40567),
[@​sorrison](https://redirect.github.com/sorrison))
- docs: remove l7 EnableDefaultDeny callout (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40441](https://redirect.github.com/cilium/cilium/issues/40441),
[@​squeed](https://redirect.github.com/squeed))
- Fix race condition issues (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- Makefile: Fix multi codeowner detection (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Makefile: Improve tparse,junit output handling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39098](https://redirect.github.com/cilium/cilium/issues/39098),
[@​joestringer](https://redirect.github.com/joestringer))
- Support extending cilium-agent volumes as a downstream packager
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40401](https://redirect.github.com/cilium/cilium/issues/40401),
[@​devodev](https://redirect.github.com/devodev))
- tools: Move codeowners library from cilium-cli dir (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40253](https://redirect.github.com/cilium/cilium/issues/40253),
[@​joestringer](https://redirect.github.com/joestringer))
**Other Changes:**
- Fix bug where LocalRedirectPolicy forwarding would break if you enable
`bpf-lb-algorithm-annotation`
([#​40246](https://redirect.github.com/cilium/cilium/issues/40246),
[@​tarabrind](https://redirect.github.com/tarabrind))
- images: update cilium-{runtime,builder}
([#​40839](https://redirect.github.com/cilium/cilium/issues/40839),
[@​aanm](https://redirect.github.com/aanm))
- install: Update image digests for v1.17.6
([#​40546](https://redirect.github.com/cilium/cilium/issues/40546),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
- vendor: Bump to StateDB v0.4.5
([#​40850](https://redirect.github.com/cilium/cilium/issues/40850),
[@​joamaki](https://redirect.github.com/joamaki))
#### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.17.7@​sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.17.7@​sha256:2852feca0d0d936ed0333cd64859f3c5ece2db582ba5fed848f57aff786be4a6`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.17.7@​sha256:1b7c8d64f01b309521f13ab2a15239a688b9f545bb97058d383ad3bb55e42e67`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.17.7@​sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.17.7@​sha256:271e64d6c91019a1a4815b4c78294962bf51c9f764c680fdfacb2adb6e9d0c4d`
##### operator-aws
`quay.io/cilium/operator-aws:v1.17.7@​sha256:ce37d2ccf921761a4171a507748a06a204592890e6f8cf7d1c354648e098c830`
##### operator-azure
`quay.io/cilium/operator-azure:v1.17.7@​sha256:9c1db11de2e0cdcaba522c8f396b9a643738f3d3f958fa9b4d62f57bac5daafb`
##### operator-generic
`quay.io/cilium/operator-generic:v1.17.7@​sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788`
##### operator
`quay.io/cilium/operator:v1.17.7@​sha256:122e49fce82df90693f8981e5d9013b6a9248284db17226259e39364ba9a211d`
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/zocimek/home-ops).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi43IiwidXBkYXRlZEluVmVyIjoiNDEuODIuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
lumiere-bot bot
added a commit
to coolguy1771/home-ops
that referenced
this pull request
Sep 4, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/home-operations/charts-mirror/cilium](https://cilium.io/) ([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.1` | | quay.io/cilium/hubble-ui | patch | `v0.13.2` -> `v0.13.3` | | quay.io/cilium/hubble-ui-backend | patch | `v0.13.2` -> `v0.13.3` | --- ### Release Notes <details> <summary>cilium/cilium (ghcr.io/home-operations/charts-mirror/cilium)</summary> ### [`v1.18.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.1): 1.18.1 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.18.0...1.18.1) ## Summary of Changes **Minor Changes:** - Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled` and `kubernetes_version` feature metrics. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41003](https://redirect.github.com/cilium/cilium/issues/41003), [@​aanm](https://redirect.github.com/aanm)) - eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40852](https://redirect.github.com/cilium/cilium/issues/40852), [@​marseel](https://redirect.github.com/marseel)) - kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40920](https://redirect.github.com/cilium/cilium/issues/40920), [@​marseel](https://redirect.github.com/marseel)) - operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40322](https://redirect.github.com/cilium/cilium/issues/40322), [@​marseel](https://redirect.github.com/marseel)) **Bugfixes:** - Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. ([#​41116](https://redirect.github.com/cilium/cilium/issues/41116), [@​joamaki](https://redirect.github.com/joamaki)) - aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40656](https://redirect.github.com/cilium/cilium/issues/40656), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - clustermesh: fix regression possibly causing cross-cluster connections disruption if the clustermesh-apiserver is restarted at the same time as Cilium agents. (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40786](https://redirect.github.com/cilium/cilium/issues/40786), [@​giorio94](https://redirect.github.com/giorio94)) - clustermesh: fix regression preventing global services with unnamed ports from including remote backends (Backport PR [#​40865](https://redirect.github.com/cilium/cilium/issues/40865), Upstream PR [#​40848](https://redirect.github.com/cilium/cilium/issues/40848), [@​giorio94](https://redirect.github.com/giorio94)) - Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40791](https://redirect.github.com/cilium/cilium/issues/40791), [@​christarazi](https://redirect.github.com/christarazi)) - Fix skipping of LoadBalancer services when IPMode is not set to VIP (KEP-1860) (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40915](https://redirect.github.com/cilium/cilium/issues/40915), [@​joamaki](https://redirect.github.com/joamaki)) - fix([GH-37724](https://redirect.github.com/cilium/cilium/issues/37724)): Sync policies on startup (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40357](https://redirect.github.com/cilium/cilium/issues/40357), [@​anubhabMajumdar](https://redirect.github.com/anubhabMajumdar)) - fix: create policy snapshot only for sdp (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40785](https://redirect.github.com/cilium/cilium/issues/40785), [@​vipul-21](https://redirect.github.com/vipul-21)) - Fixes a bug where the Cilium agent may segfault when starting. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40824](https://redirect.github.com/cilium/cilium/issues/40824), [@​squeed](https://redirect.github.com/squeed)) - Fixes an error where the Ingress controller, when run in host network, created an invalid Service. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40232](https://redirect.github.com/cilium/cilium/issues/40232), [@​rtheobald](https://redirect.github.com/rtheobald)) - helm: Create envoy-config ConfigMap for preflight (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40875](https://redirect.github.com/cilium/cilium/issues/40875), [@​sayboras](https://redirect.github.com/sayboras)) - install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41021](https://redirect.github.com/cilium/cilium/issues/41021), [@​aanm](https://redirect.github.com/aanm)) - loadbalancer: Fix backend state in REST API (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40780](https://redirect.github.com/cilium/cilium/issues/40780), [@​mhofstetter](https://redirect.github.com/mhofstetter)) **CI Changes:** - .github/actions: only upload files with features-tested prefix (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40975](https://redirect.github.com/cilium/cilium/issues/40975), [@​aanm](https://redirect.github.com/aanm)) - Add TESTOWNERS file ([#​40864](https://redirect.github.com/cilium/cilium/issues/40864), [@​joestringer](https://redirect.github.com/joestringer)) - ci: Add Cleanup Disk space step into conformance-runtime (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40973](https://redirect.github.com/cilium/cilium/issues/40973), [@​rastislavs](https://redirect.github.com/rastislavs)) - ci: Fix CI-Fuzz Build failures (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40728](https://redirect.github.com/cilium/cilium/issues/40728), [@​lomackie](https://redirect.github.com/lomackie)) - ci: Reuse connectivity test flags in proxy-embedded (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41036](https://redirect.github.com/cilium/cilium/issues/41036), [@​joestringer](https://redirect.github.com/joestringer)) - endpoint: Avoid unnecessarily logging a warning during endpoint deletion (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40927](https://redirect.github.com/cilium/cilium/issues/40927), [@​christarazi](https://redirect.github.com/christarazi)) - Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40725](https://redirect.github.com/cilium/cilium/issues/40725), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40776](https://redirect.github.com/cilium/cilium/issues/40776), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - ipsec: fix privileged tests (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41006](https://redirect.github.com/cilium/cilium/issues/41006), [@​smagnani96](https://redirect.github.com/smagnani96)) - tools/testowners: de-duplicate error logs (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40778](https://redirect.github.com/cilium/cilium/issues/40778), [@​tklauser](https://redirect.github.com/tklauser)) - workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40881](https://redirect.github.com/cilium/cilium/issues/40881), [@​smagnani96](https://redirect.github.com/smagnani96)) **Misc Changes:** - .github/workflows: bump build-images-base timeout to 60 minutes (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40919](https://redirect.github.com/cilium/cilium/issues/40919), [@​aanm](https://redirect.github.com/aanm)) - .github/workflows: print open file descriptors (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40941](https://redirect.github.com/cilium/cilium/issues/40941), [@​aanm](https://redirect.github.com/aanm)) - .github: fix removal of all files in /mnt (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40818](https://redirect.github.com/cilium/cilium/issues/40818), [@​aanm](https://redirect.github.com/aanm)) - .github: remove all contents of /mnt in build images CI (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40814](https://redirect.github.com/cilium/cilium/issues/40814), [@​aanm](https://redirect.github.com/aanm)) - chore(deps): update actions/download-artifact action to v5 (v1.18) ([#​41055](https://redirect.github.com/cilium/cilium/issues/41055), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​40901](https://redirect.github.com/cilium/cilium/issues/40901), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​41056](https://redirect.github.com/cilium/cilium/issues/41056), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​40900](https://redirect.github.com/cilium/cilium/issues/40900), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18) ([#​40898](https://redirect.github.com/cilium/cilium/issues/40898), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.6 (v1.18) ([#​40993](https://redirect.github.com/cilium/cilium/issues/40993), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​40899](https://redirect.github.com/cilium/cilium/issues/40899), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​41054](https://redirect.github.com/cilium/cilium/issues/41054), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - ci: add/change runner labels (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40972](https://redirect.github.com/cilium/cilium/issues/40972), [@​Artyop](https://redirect.github.com/Artyop)) - daemon/test: explicitly wait for identities synchronization (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40811](https://redirect.github.com/cilium/cilium/issues/40811), [@​giorio94](https://redirect.github.com/giorio94)) - docs: Remove references to v1.15 (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​41033](https://redirect.github.com/cilium/cilium/issues/41033), [@​joestringer](https://redirect.github.com/joestringer)) - Fix loadbalancer handling of backends with ClusterID set (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40968](https://redirect.github.com/cilium/cilium/issues/40968), [@​giorio94](https://redirect.github.com/giorio94)) - Fix race condition issues (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40949](https://redirect.github.com/cilium/cilium/issues/40949), [@​aanm](https://redirect.github.com/aanm)) - fix(deps): update module github.com/docker/docker to v28.3.3+incompatible \[security] (v1.18) ([#​40793](https://redirect.github.com/cilium/cilium/issues/40793), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - loadbalancer: Raise default retry duration to 1 second (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40997](https://redirect.github.com/cilium/cilium/issues/40997), [@​joamaki](https://redirect.github.com/joamaki)) - loadbalancer: Use unique for L3n4Addr (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40633](https://redirect.github.com/cilium/cilium/issues/40633), [@​joamaki](https://redirect.github.com/joamaki)) - Makefile: Fix multi codeowner detection (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40923](https://redirect.github.com/cilium/cilium/issues/40923), [@​joestringer](https://redirect.github.com/joestringer)) - Reduced memory usage by roughly 10% for large EndpointSlices by sharing identical objects. (Backport PR [#​41078](https://redirect.github.com/cilium/cilium/issues/41078), Upstream PR [#​40987](https://redirect.github.com/cilium/cilium/issues/40987), [@​joamaki](https://redirect.github.com/joamaki)) - values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater (Backport PR [#​40847](https://redirect.github.com/cilium/cilium/issues/40847), Upstream PR [#​40625](https://redirect.github.com/cilium/cilium/issues/40625), [@​alagoutte](https://redirect.github.com/alagoutte)) - vendor: Bump to StateDB v0.4.5 (Backport PR [#​40979](https://redirect.github.com/cilium/cilium/issues/40979), Upstream PR [#​40783](https://redirect.github.com/cilium/cilium/issues/40783), [@​joamaki](https://redirect.github.com/joamaki)) **Other Changes:** - ci: reduce gke failures ([#​41070](https://redirect.github.com/cilium/cilium/issues/41070), [@​brlbil](https://redirect.github.com/brlbil)) - install: Update image digests for v1.18.0 ([#​40782](https://redirect.github.com/cilium/cilium/issues/40782), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.1@​sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9` `quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.1@​sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb` `quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.1@​sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3` `quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.1@​sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0` `quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.1@​sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a` `quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.1@​sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042` `quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.1@​sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06` `quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.1@​sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc` `quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc` ##### operator `quay.io/cilium/operator:v1.18.1@​sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e` `quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e` ### [`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0): ##### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469), [@​joamaki](https://redirect.github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723), [@​ldelossa](https://redirect.github.com/ldelossa); [cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://redirect.github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://redirect.github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351), [@​l1b0k](https://redirect.github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) ##### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497), [@​pchaigno](https://redirect.github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074), [@​pchaigno](https://redirect.github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249), [@​caorui-io](https://redirect.github.com/caorui-io), [@​kadevu](https://redirect.github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452), [@​rgo3](https://redirect.github.com/rgo3)) ##### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453), [@​antonipp](https://redirect.github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902), [@​squeed](https://redirect.github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634), [@​kaworu](https://redirect.github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445), [@​squeed](https://redirect.github.com/squeed)) ##### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://redirect.github.com/marseel), [cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005), [@​marseel](https://redirect.github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340), [@​squeed](https://redirect.github.com/squeed); [cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414), [@​marseel](https://redirect.github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714), [@​giorio94](https://redirect.github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) ##### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601), [@​aditighag](https://redirect.github.com/aditighag); [cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031), [@​orange30](https://redirect.github.com/orange30); [cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648), [@​wedaly](https://redirect.github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://redirect.github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940), [@​christarazi](https://redirect.github.com/christarazi); [cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090), [@​pippolo84](https://redirect.github.com/pippolo84); [cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765), [@​rastislavs](https://redirect.github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137), [@​Murat](https://redirect.github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664), [@​aanm](https://redirect.github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632), [@​sayboras](https://redirect.github.com/sayboras); [cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868), [@​squeed](https://redirect.github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) ##### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590), [@​sayboras](https://redirect.github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138), [@​sayboras](https://redirect.github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922), [@​youngnick](https://redirect.github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798), [@​sayboras](https://redirect.github.com/sayboras)) ##### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678), [@​41ks](https://redirect.github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638), [@​pippolo84](https://redirect.github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442), [@​pippolo84](https://redirect.github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483), [@​pippolo84](https://redirect.github.com/pippolo84)) ##### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275), [@​romanspb80](https://redirect.github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://redirect.github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi); [cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300), [@​liyihuang](https://redirect.github.com/liyihuang)) ##### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027), [@​Joe](https://redirect.github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212), [@​squeed](https://redirect.github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418), [@​brb](https://redirect.github.com/brb)) ##### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://redirect.github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community ##### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40NS4wIiwidXBkYXRlZEluVmVyIjoiNDEuOTMuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9taW5vciIsInR5cGUvcGF0Y2giXX0=--> Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
lumiere-bot bot
added a commit
to coolguy1771/home-ops
that referenced
this pull request
Sep 4, 2025
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | | minor |
`1.17.6` -> `1.18.1` |
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | HelmChart |
minor | `1.17.6` -> `1.18.1` |
---
### Release Notes
<details>
<summary>cilium/cilium (cilium)</summary>
###
[`v1.18.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.1):
1.18.1
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.0...1.18.1)
## Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
- eni: improve logging and speed up ipam reconciliation in case of node
scale-downs (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40852](https://redirect.github.com/cilium/cilium/issues/40852),
[@​marseel](https://redirect.github.com/marseel))
- kvstore: Cilium Agent no longer fails health-check if operator is
unavailable (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40920](https://redirect.github.com/cilium/cilium/issues/40920),
[@​marseel](https://redirect.github.com/marseel))
- operator: CRDs are updated in series instead of in parallel now during
Cilium upgrades. This should lower the pressure on the k8s control plane
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40322](https://redirect.github.com/cilium/cilium/issues/40322),
[@​marseel](https://redirect.github.com/marseel))
**Bugfixes:**
- Add missing safeguards to topology-aware routing: use all backends
when no suitable one matching the zone hints are found or a backend
exists without a zone hint.
([#​41116](https://redirect.github.com/cilium/cilium/issues/41116),
[@​joamaki](https://redirect.github.com/joamaki))
- aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40656](https://redirect.github.com/cilium/cilium/issues/40656),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- clustermesh: fix regression possibly causing cross-cluster connections
disruption if the clustermesh-apiserver is restarted at the same time as
Cilium agents. (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40786](https://redirect.github.com/cilium/cilium/issues/40786),
[@​giorio94](https://redirect.github.com/giorio94))
- clustermesh: fix regression preventing global services with unnamed
ports from including remote backends (Backport PR
[#​40865](https://redirect.github.com/cilium/cilium/issues/40865),
Upstream PR
[#​40848](https://redirect.github.com/cilium/cilium/issues/40848),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix bug where the presence of a label called "ingress" causes
incorrect assignment of identities to workloads, affecting policy
enforcement. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40791](https://redirect.github.com/cilium/cilium/issues/40791),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix skipping of LoadBalancer services when IPMode is not set to VIP
(KEP-1860) (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40915](https://redirect.github.com/cilium/cilium/issues/40915),
[@​joamaki](https://redirect.github.com/joamaki))
-
fix([GH-37724](https://redirect.github.com/cilium/cilium/issues/37724)):
Sync policies on startup (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40357](https://redirect.github.com/cilium/cilium/issues/40357),
[@​anubhabMajumdar](https://redirect.github.com/anubhabMajumdar))
- fix: create policy snapshot only for sdp (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40785](https://redirect.github.com/cilium/cilium/issues/40785),
[@​vipul-21](https://redirect.github.com/vipul-21))
- Fixes a bug where the Cilium agent may segfault when starting.
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40824](https://redirect.github.com/cilium/cilium/issues/40824),
[@​squeed](https://redirect.github.com/squeed))
- Fixes an error where the Ingress controller, when run in host network,
created an invalid Service. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40232](https://redirect.github.com/cilium/cilium/issues/40232),
[@​rtheobald](https://redirect.github.com/rtheobald))
- helm: Create envoy-config ConfigMap for preflight (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40875](https://redirect.github.com/cilium/cilium/issues/40875),
[@​sayboras](https://redirect.github.com/sayboras))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- loadbalancer: Fix backend state in REST API (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40780](https://redirect.github.com/cilium/cilium/issues/40780),
[@​mhofstetter](https://redirect.github.com/mhofstetter))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- Add TESTOWNERS file
([#​40864](https://redirect.github.com/cilium/cilium/issues/40864),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: Add Cleanup Disk space step into conformance-runtime (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40973](https://redirect.github.com/cilium/cilium/issues/40973),
[@​rastislavs](https://redirect.github.com/rastislavs))
- ci: Fix CI-Fuzz Build failures (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40728](https://redirect.github.com/cilium/cilium/issues/40728),
[@​lomackie](https://redirect.github.com/lomackie))
- ci: Reuse connectivity test flags in proxy-embedded (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41036](https://redirect.github.com/cilium/cilium/issues/41036),
[@​joestringer](https://redirect.github.com/joestringer))
- endpoint: Avoid unnecessarily logging a warning during endpoint
deletion (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40927](https://redirect.github.com/cilium/cilium/issues/40927),
[@​christarazi](https://redirect.github.com/christarazi))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- ipsec: fix privileged tests (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41006](https://redirect.github.com/cilium/cilium/issues/41006),
[@​smagnani96](https://redirect.github.com/smagnani96))
- tools/testowners: de-duplicate error logs (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40881](https://redirect.github.com/cilium/cilium/issues/40881),
[@​smagnani96](https://redirect.github.com/smagnani96))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github/workflows: print open file descriptors (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40941](https://redirect.github.com/cilium/cilium/issues/40941),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- chore(deps): update actions/download-artifact action to v5 (v1.18)
([#​41055](https://redirect.github.com/cilium/cilium/issues/41055),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​40901](https://redirect.github.com/cilium/cilium/issues/40901),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#​41056](https://redirect.github.com/cilium/cilium/issues/41056),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18)
([#​40900](https://redirect.github.com/cilium/cilium/issues/40900),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18)
([#​40898](https://redirect.github.com/cilium/cilium/issues/40898),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.18)
([#​40993](https://redirect.github.com/cilium/cilium/issues/40993),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​40899](https://redirect.github.com/cilium/cilium/issues/40899),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#​41054](https://redirect.github.com/cilium/cilium/issues/41054),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- docs: Remove references to v1.15 (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​41033](https://redirect.github.com/cilium/cilium/issues/41033),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix loadbalancer handling of backends with ClusterID set (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40968](https://redirect.github.com/cilium/cilium/issues/40968),
[@​giorio94](https://redirect.github.com/giorio94))
- Fix race condition issues (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- fix(deps): update module github.com/docker/docker to
v28.3.3+incompatible \[security] (v1.18)
([#​40793](https://redirect.github.com/cilium/cilium/issues/40793),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- loadbalancer: Raise default retry duration to 1 second (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40997](https://redirect.github.com/cilium/cilium/issues/40997),
[@​joamaki](https://redirect.github.com/joamaki))
- loadbalancer: Use unique for L3n4Addr (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40633](https://redirect.github.com/cilium/cilium/issues/40633),
[@​joamaki](https://redirect.github.com/joamaki))
- Makefile: Fix multi codeowner detection (Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Reduced memory usage by roughly 10% for large EndpointSlices by
sharing identical objects. (Backport PR
[#​41078](https://redirect.github.com/cilium/cilium/issues/41078),
Upstream PR
[#​40987](https://redirect.github.com/cilium/cilium/issues/40987),
[@​joamaki](https://redirect.github.com/joamaki))
- values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater
(Backport PR
[#​40847](https://redirect.github.com/cilium/cilium/issues/40847),
Upstream PR
[#​40625](https://redirect.github.com/cilium/cilium/issues/40625),
[@​alagoutte](https://redirect.github.com/alagoutte))
- vendor: Bump to StateDB v0.4.5 (Backport PR
[#​40979](https://redirect.github.com/cilium/cilium/issues/40979),
Upstream PR
[#​40783](https://redirect.github.com/cilium/cilium/issues/40783),
[@​joamaki](https://redirect.github.com/joamaki))
**Other Changes:**
- ci: reduce gke failures
([#​41070](https://redirect.github.com/cilium/cilium/issues/41070),
[@​brlbil](https://redirect.github.com/brlbil))
- install: Update image digests for v1.18.0
([#​40782](https://redirect.github.com/cilium/cilium/issues/40782),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
##### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.18.1@​sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
`quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.18.1@​sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.18.1@​sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
`quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.18.1@​sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
`quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.18.1@​sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
`quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a`
##### operator-aws
`quay.io/cilium/operator-aws:v1.18.1@​sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
`quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042`
##### operator-azure
`quay.io/cilium/operator-azure:v1.18.1@​sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
`quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06`
##### operator-generic
`quay.io/cilium/operator-generic:v1.18.1@​sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
`quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc`
##### operator
`quay.io/cilium/operator:v1.18.1@​sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
`quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e`
###
[`v1.18.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
1.18.0
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.7...1.18.0)
We are excited to announce the **[Cilium
1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0)**
release!
A total of **3298 new commits** have been contributed to this release by
a growing community of over **955 developers** and over **22,000 GitHub
stars**! ⭐
To keep up to date with all the latest Cilium releases, see
[Announcements](https://redirect.github.com/cilium/cilium/discussions/categories/announcements)
Here's what's new in
[v1.18.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.0):
##### 🚠 Networking
- **⚖️ Load Balancing Redesign**: The service load-balancing
control-plane in the Cilium agent has been redesigned to reduce memory
usage and improve future extensibility of load-balancing features
([cilium/cilium#38469](https://redirect.github.com/cilium/cilium/pull/38469),
[@​joamaki](https://redirect.github.com/joamaki))
- **🔌 Virtual Network Devices**: Added support for new virtual network
device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels
([cilium/cilium#37723](https://redirect.github.com/cilium/cilium/pull/37723),
[@​ldelossa](https://redirect.github.com/ldelossa);
[cilium/cilium#37346](https://redirect.github.com/cilium/cilium/pull/37346),
[@​gyutaeb](https://redirect.github.com/gyutaeb))
- **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now
direct traffic towards multiple gateway nodes
([cilium/cilium#39304](https://redirect.github.com/cilium/cilium/pull/39304),
[@​carlos-abad](https://redirect.github.com/carlos-abad))
- **🚦 Ingress Rate Limiting**: The bandwidth manager now supports
ingress rate limiting
([cilium/cilium#36351](https://redirect.github.com/cilium/cilium/pull/36351),
[@​l1b0k](https://redirect.github.com/l1b0k))
- **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature
now supports multiple devices
([cilium/cilium#38198](https://redirect.github.com/cilium/cilium/pull/38198),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more
resilient through a new system that reconciles desired neighbor entries
with the kernel state
([cilium/cilium#39987](https://redirect.github.com/cilium/cilium/pull/39987),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
##### 🌐 IPv6
- **🚇 Tunneling Underlay**: The tunneling datapath mode now supports
using an IPv6 network underlay, including when configured with IPsec
transparent encryption
([cilium/cilium#38296](https://redirect.github.com/cilium/cilium/pull/38296),
[cilium/cilium#39497](https://redirect.github.com/cilium/cilium/pull/39497),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **💬 Kube Proxy Replacement**: Cilium now implements service
translation when running on an IPv6 underlay
([cilium/cilium#39074](https://redirect.github.com/cilium/cilium/pull/39074),
[@​pchaigno](https://redirect.github.com/pchaigno))
- **📋 Delegated IPAM**: When delegating IP address management to a third
party plugin, Cilium now configures IPv6 routes for connectivity if the
plugin supports IPv6
([cilium/cilium#38249](https://redirect.github.com/cilium/cilium/pull/38249),
[@​caorui-io](https://redirect.github.com/caorui-io),
[@​kadevu](https://redirect.github.com/kadevu))
- **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments
to apply policy and routing functionality
([cilium/cilium#38110](https://redirect.github.com/cilium/cilium/pull/38110),
[@​gentoo-root](https://redirect.github.com/gentoo-root))
- **🚪 Egress gateway policies** can now match IPv6 address ranges
([cilium/cilium#38452](https://redirect.github.com/cilium/cilium/pull/38452),
[@​rgo3](https://redirect.github.com/rgo3))
##### 🛡️ Policy & Observability
- **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that
allowed or denied traffic when monitoring flows in Hubble
([cilium/cilium#39453](https://redirect.github.com/cilium/cilium/pull/39453),
[@​antonipp](https://redirect.github.com/antonipp))
- **📝 Policy Log Fields**: A new free-text log field is added to
policies, which is exposed in Hubble flows for easy correlation and
searching
([cilium/cilium#39902](https://redirect.github.com/cilium/cilium/pull/39902),
[@​squeed](https://redirect.github.com/squeed))
- **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated
traffic for deeper introspection into traffic flows
([cilium/cilium#37634](https://redirect.github.com/cilium/cilium/pull/37634),
[@​kaworu](https://redirect.github.com/kaworu))
- **🏰 ClusterMesh Policy Restriction**: A new option allows the
**cluster** entity to apply only to the local cluster in ClusterMesh
environment
([cilium/cilium#39338](https://redirect.github.com/cilium/cilium/pull/39338),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium
Grafana dashboard has been improved to show more relevant graphs,
including policy drops in both directions
([cilium/cilium#36492](https://redirect.github.com/cilium/cilium/pull/36492),
[cilium/cilium#37445](https://redirect.github.com/cilium/cilium/pull/37445),
[@​squeed](https://redirect.github.com/squeed))
##### 🌅 Performance
- **📊 Scale Test Results**: Cilium implements policies and services up
to 45% faster in higher scale environments (Various;
[@​marseel](https://redirect.github.com/marseel),
[cilium/cilium#40227](https://redirect.github.com/cilium/cilium/pull/40227))
- **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on
arm64 architecture images
([cilium/cilium#40005](https://redirect.github.com/cilium/cilium/pull/40005),
[@​marseel](https://redirect.github.com/marseel))
- **⚡ Improved Policy Performance**: The DNS proxy can process large
numbers of IPs faster, and the EndpointSelector match implementation has
been optimized
([cilium/cilium#39340](https://redirect.github.com/cilium/cilium/pull/39340),
[@​squeed](https://redirect.github.com/squeed);
[cilium/cilium#40414](https://redirect.github.com/cilium/cilium/pull/40414),
[@​marseel](https://redirect.github.com/marseel))
- **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh
mirrors EndpointSlice from the local cluster instead of copying the
Service selectors when using the MCS-API controller
([cilium/cilium#38596](https://redirect.github.com/cilium/cilium/pull/38596),
[@​MrFreezeex](https://redirect.github.com/MrFreezeex))
- **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is
optimized by only synchronizing identities keyed by ID, not by value
([cilium/cilium#36471](https://redirect.github.com/cilium/cilium/pull/36471),
[@​HadrienPatte](https://redirect.github.com/HadrienPatte))
- **🧠 Egress Gateway Processing**: Egress gateway policy processing is
significantly improved when matching a large number of pods
([cilium/cilium#37714](https://redirect.github.com/cilium/cilium/pull/37714),
[@​giorio94](https://redirect.github.com/giorio94))
- **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium
leverages batched iterators for CTMap GC
([cilium/cilium#36288](https://redirect.github.com/cilium/cilium/pull/36288),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
##### ⚙️ Operations
- **📈 API Server Connections at Scale**: Improve kube-apiserver
connections behavior at scale through failover and setting better jitter
and backoff configurations
([cilium/cilium#37601](https://redirect.github.com/cilium/cilium/pull/37601),
[@​aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#38031](https://redirect.github.com/cilium/cilium/pull/38031),
[@​orange30](https://redirect.github.com/orange30);
[cilium/cilium#36648](https://redirect.github.com/cilium/cilium/pull/36648),
[@​wedaly](https://redirect.github.com/wedaly))
- **🔄 ConfigMap Synchronization**: New option to automatically
synchronize ConfigMap changes into the agent and report metrics for when
the effective configuration is different from the desired configuration
([cilium/cilium#36510](https://redirect.github.com/cilium/cilium/pull/36510),
[@​ovidiutirla](https://redirect.github.com/ovidiutirla))
- **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**,
**CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API
([cilium/cilium#38940](https://redirect.github.com/cilium/cilium/pull/38940),
[@​christarazi](https://redirect.github.com/christarazi);
[cilium/cilium#39090](https://redirect.github.com/cilium/cilium/pull/39090),
[@​pippolo84](https://redirect.github.com/pippolo84);
[cilium/cilium#37765](https://redirect.github.com/cilium/cilium/pull/37765),
[@​rastislavs](https://redirect.github.com/rastislavs))
- **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new
default set of taints which avoids deploying to a drained node
([cilium/cilium#40137](https://redirect.github.com/cilium/cilium/pull/40137),
[@​Murat](https://redirect.github.com/Murat) Parlakisik)
- **:wood: Migrate to Slog**: Cilium now uses slog as log library for
all components
([cilium/cilium#39664](https://redirect.github.com/cilium/cilium/pull/39664),
[@​aanm](https://redirect.github.com/aanm))
- **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy
v1.34, LLVM 19.1, and CNI v1.1
([cilium/cilium#39124](https://redirect.github.com/cilium/cilium/pull/39124),
[cilium/cilium#40175](https://redirect.github.com/cilium/cilium/pull/40175),
[cilium/cilium#39632](https://redirect.github.com/cilium/cilium/pull/39632),
[@​sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#38868](https://redirect.github.com/cilium/cilium/pull/38868),
[@​squeed](https://redirect.github.com/squeed))
- **🐧 Minimum Linux Requirements**: The minimum kernel version for this
release series is Linux v5.10 or similar, such as RHEL 8.6
([cilium/cilium#38308](https://redirect.github.com/cilium/cilium/pull/38308),
[@​julianwiedmann](https://redirect.github.com/julianwiedmann))
##### 🕸️ Service Mesh & Gateway API
- **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0
([cilium/cilium#39590](https://redirect.github.com/cilium/cilium/pull/39590),
[@​sayboras](https://redirect.github.com/sayboras))
- **🔗 Improved GatewayClass Configuration**: The new
CiliumGatewayClassConfig object adds service type validation allows the
configuration of extra settings on a per-GatewayClass level:
LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium
to reconcile multiple GatewayClasses with different configurations
([cilium/cilium#37792](https://redirect.github.com/cilium/cilium/pull/37792),
[cilium/cilium#37402](https://redirect.github.com/cilium/cilium/pull/37402),
[cilium/cilium#40138](https://redirect.github.com/cilium/cilium/pull/40138),
[@​sayboras](https://redirect.github.com/sayboras))
- **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching
multiple HTTPRoutes to the same Service
([cilium/cilium#39922](https://redirect.github.com/cilium/cilium/pull/39922),
[@​youngnick](https://redirect.github.com/youngnick))
- **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all
changes to routes. This allows label updates to trigger reconciliation
correctly, amongst other things
([cilium/cilium#37798](https://redirect.github.com/cilium/cilium/pull/37798),
[@​sayboras](https://redirect.github.com/sayboras))
##### 🏷️ IP Address Management
- **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal
instances is now supported natively in Cilium's AWS ENI IPAM mode
([cilium/cilium#39678](https://redirect.github.com/cilium/cilium/pull/39678),
[@​41ks](https://redirect.github.com/41ks))
- **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in
external KVstore mode
([cilium/cilium#39638](https://redirect.github.com/cilium/cilium/pull/39638),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode
with IPSec transparent encryption in tunnel routing mode
([cilium/cilium#39442](https://redirect.github.com/cilium/cilium/pull/39442),
[@​pippolo84](https://redirect.github.com/pippolo84))
- **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in
multi-pool IPAM mode
([cilium/cilium#38483](https://redirect.github.com/cilium/cilium/pull/38483),
[@​pippolo84](https://redirect.github.com/pippolo84))
##### 🛣️ BGP
- **📇 Route Aggregation**: Add support for BGP route aggregation in the
control plane
([cilium/cilium#37275](https://redirect.github.com/cilium/cilium/pull/37275),
[@​romanspb80](https://redirect.github.com/romanspb80))
- **🎯 Overlapping Selector Matches**: Support overlapping selector
matches in **CiliumBGPAdvertisement** resources
([cilium/cilium#36414](https://redirect.github.com/cilium/cilium/pull/36414),
[@​dswaffordcw](https://redirect.github.com/dswaffordcw))
- **🆔 New Router ID generation modes**: Generate router-id based on MAC
addresses, or from an IP address pool
([cilium/cilium#36451](https://redirect.github.com/cilium/cilium/pull/36451),
[@​yushoyamaguchi](https://redirect.github.com/yushoyamaguchi);
[cilium/cilium#38300](https://redirect.github.com/cilium/cilium/pull/38300),
[@​liyihuang](https://redirect.github.com/liyihuang))
##### 🧑💻 Development Experience
- **🧪 Test attribution**: Identify owners of test in GitHub workflow
results to make it easier to connect with other developers on tricky
problems
([cilium/cilium#37027](https://redirect.github.com/cilium/cilium/pull/37027),
[@​Joe](https://redirect.github.com/Joe) Stringer)
- **🛏️ Policy REST API**: The Cilium policy API exposed over a local
unix socket is deprecated. The other mechanisms to configure policy via
Kubernetes resources or the local filesystem are preferred
([cilium/cilium#40212](https://redirect.github.com/cilium/cilium/pull/40212),
[@​squeed](https://redirect.github.com/squeed))
- **🏗️ Feature Deprecation**: Deprecate underused features like Custom
Calls, Recorder API and External Workloads
([cilium/cilium#38480](https://redirect.github.com/cilium/cilium/pull/38480),
[cilium/cilium#39642](https://redirect.github.com/cilium/cilium/pull/39642),
[cilium/cilium#37418](https://redirect.github.com/cilium/cilium/pull/37418),
[@​brb](https://redirect.github.com/brb))
##### 🏢 Community
- **❤️ Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus
Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner
Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB
Schenker](https://www.cncf.io/case-studies/db-schenker/),
[eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY),
[ECCO](https://www.cncf.io/case-studies/ecco/),
[G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social
Network
Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/),
and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M)
- **🇬🇧 London Events**: The community gathered at
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2025-EU)
in London
- **🇺🇸 Atlanta Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/)
and Cilium Developers Summit in Atlanta, Georgia
- **👥 SIG Community Meetings**: [SIG
Community](https://redirect.github.com/cilium/community/tree/main/sig-community)
now meets every first and third Thursday to foster, grow, and sustain
the Cilium open source community
##### 📔 Full CHANGELOG
- Full CHANGELOG.md can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md).
And finally, we would like to thank you to all contributors of Cilium
that helped directly and indirectly with the project. The success of
Cilium could not happen without all of you. ❤️ :people\_holding\_hands:
❤️
###
[`v1.17.7`](https://redirect.github.com/cilium/cilium/releases/tag/v1.17.7):
1.17.7
[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.17.6...1.17.7)
##### Summary of Changes
**Minor Changes:**
- Add `kernel_version`, `endpoint_routes_enabled`, `strict_mode_enabled`
and `kubernetes_version` feature metrics. (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41003](https://redirect.github.com/cilium/cilium/issues/41003),
[@​aanm](https://redirect.github.com/aanm))
**Bugfixes:**
- Added cleanup of deprecated cilium\_policy\_v1 maps (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​39400](https://redirect.github.com/cilium/cilium/issues/39400),
[@​pasteley](https://redirect.github.com/pasteley))
- bgp: Use private fork of the GoBGP to fix BGP MD5 auth (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40566](https://redirect.github.com/cilium/cilium/issues/40566),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- bpf/nat: fix header offset while reverse nat-ing icmp6 pkt too big.
(Backport PR
[#​40387](https://redirect.github.com/cilium/cilium/issues/40387),
Upstream PR
[#​40002](https://redirect.github.com/cilium/cilium/issues/40002),
[@​tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- Enable protocol differentiation by default on the operator, matching
the agent
([#​40643](https://redirect.github.com/cilium/cilium/issues/40643),
[@​dylandreimerink](https://redirect.github.com/dylandreimerink))
- Fix a bug where Cilium leaks stale routes when IPsec is enabled.
(Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40653](https://redirect.github.com/cilium/cilium/issues/40653),
[@​pippolo84](https://redirect.github.com/pippolo84))
- fix(helm): fix values.schema.json types for
bpf.events.default.{rateLimit,burstLimit} (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40543](https://redirect.github.com/cilium/cilium/issues/40543),
[@​vchirikov](https://redirect.github.com/vchirikov))
- fix: kube-proxy healthz panic on port 10256
([#​40590](https://redirect.github.com/cilium/cilium/issues/40590),
[@​tamilmani1989](https://redirect.github.com/tamilmani1989))
- Helm: Correct seccompProfile for cilium-agent pods (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40476](https://redirect.github.com/cilium/cilium/issues/40476),
[@​jcpunk](https://redirect.github.com/jcpunk))
- install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​41021](https://redirect.github.com/cilium/cilium/issues/41021),
[@​aanm](https://redirect.github.com/aanm))
- pkg/ipam: fix multi-pool allocator not releasing un-used /32 and /128
CIDRs (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40393](https://redirect.github.com/cilium/cilium/issues/40393),
[@​alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))
- service: Only set algorithm annotation when requested
([#​40845](https://redirect.github.com/cilium/cilium/issues/40845),
[@​tsotne95](https://redirect.github.com/tsotne95))
**CI Changes:**
- .github/actions: only upload files with features-tested prefix
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40975](https://redirect.github.com/cilium/cilium/issues/40975),
[@​aanm](https://redirect.github.com/aanm))
- .github: Don't overwrite junit results (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39159](https://redirect.github.com/cilium/cilium/issues/39159),
[@​joestringer](https://redirect.github.com/joestringer))
- .github: Run final steps when tests aren't skipped (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40180](https://redirect.github.com/cilium/cilium/issues/40180),
[@​joestringer](https://redirect.github.com/joestringer))
- \[v1.17] .github: Remove use of cosign attest --recursive
([#​40699](https://redirect.github.com/cilium/cilium/issues/40699),
[@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa))
- \[v1.17] ci: Revert build\_commits runner to ubuntu-22.04
([#​40837](https://redirect.github.com/cilium/cilium/issues/40837),
[@​rastislavs](https://redirect.github.com/rastislavs))
- builder: Add tparse,junit tooling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39092](https://redirect.github.com/cilium/cilium/issues/39092),
[@​joestringer](https://redirect.github.com/joestringer))
- Centralize dynamic test ownership configuration (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38045](https://redirect.github.com/cilium/cilium/issues/38045),
[@​joestringer](https://redirect.github.com/joestringer))
- ci: conformance-eks token extended to 8h (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40474](https://redirect.github.com/cilium/cilium/issues/40474),
[@​mathpl](https://redirect.github.com/mathpl))
- ci: more powerful runners for go linting (Backport PR
[#​40765](https://redirect.github.com/cilium/cilium/issues/40765),
Upstream PR
[#​40582](https://redirect.github.com/cilium/cilium/issues/40582),
[@​mathpl](https://redirect.github.com/mathpl))
- CLI: Attribute tests to codeowners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​37027](https://redirect.github.com/cilium/cilium/issues/37027),
[@​joestringer](https://redirect.github.com/joestringer))
- Emit junit output from BPF unit tests (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39099](https://redirect.github.com/cilium/cilium/issues/39099),
[@​joestringer](https://redirect.github.com/joestringer))
- Fix GKE cluster creation failures when branch names exceed 63-byte
label limit by implementing automatic truncation with hash-based
uniqueness preservation. (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40725](https://redirect.github.com/cilium/cilium/issues/40725),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- Improved test failure attribution on stable branches by using
TESTOWNERS files to route failures to appropriate code quality teams
rather than generic CI infrastructure teams. (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40776](https://redirect.github.com/cilium/cilium/issues/40776),
[@​pillai-ashwin](https://redirect.github.com/pillai-ashwin))
- pkg/egw: Add missing waitForReconciliationRun (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40355](https://redirect.github.com/cilium/cilium/issues/40355),
[@​aditighag](https://redirect.github.com/aditighag))
- spire: Fix unreliable test (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40561](https://redirect.github.com/cilium/cilium/issues/40561),
[@​joestringer](https://redirect.github.com/joestringer))
- tools/testowners: de-duplicate error logs (Backport PR
[#​41074](https://redirect.github.com/cilium/cilium/issues/41074),
Upstream PR
[#​40778](https://redirect.github.com/cilium/cilium/issues/40778),
[@​tklauser](https://redirect.github.com/tklauser))
- Upload junit results for Go unit test runs (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39015](https://redirect.github.com/cilium/cilium/issues/39015),
[@​joestringer](https://redirect.github.com/joestringer))
**Misc Changes:**
- .github/workflows: bump build-images-base timeout to 60 minutes
(Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40919](https://redirect.github.com/cilium/cilium/issues/40919),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix removal of all files in /mnt (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40818](https://redirect.github.com/cilium/cilium/issues/40818),
[@​aanm](https://redirect.github.com/aanm))
- .github: fix upload artifacts for features.json
([#​41091](https://redirect.github.com/cilium/cilium/issues/41091),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove all contents of /mnt in build images CI (Backport PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40814](https://redirect.github.com/cilium/cilium/issues/40814),
[@​aanm](https://redirect.github.com/aanm))
- .github: remove stable tag from v1.17 branches
([#​40772](https://redirect.github.com/cilium/cilium/issues/40772),
[@​aanm](https://redirect.github.com/aanm))
- certloader: Add client variants of watched TLS configs (Backport PR
[#​40624](https://redirect.github.com/cilium/cilium/issues/40624),
Upstream PR
[#​40399](https://redirect.github.com/cilium/cilium/issues/40399),
[@​devodev](https://redirect.github.com/devodev))
- chore(deps): update actions/download-artifact action to v5 (v1.17)
([#​41058](https://redirect.github.com/cilium/cilium/issues/41058),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40746](https://redirect.github.com/cilium/cilium/issues/40746),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​40905](https://redirect.github.com/cilium/cilium/issues/40905),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.17)
([#​41059](https://redirect.github.com/cilium/cilium/issues/41059),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40744](https://redirect.github.com/cilium/cilium/issues/40744),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.17)
([#​40984](https://redirect.github.com/cilium/cilium/issues/40984),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.17)
([#​40902](https://redirect.github.com/cilium/cilium/issues/40902),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.26
(v1.17)
([#​40646](https://redirect.github.com/cilium/cilium/issues/40646),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.5 docker digest to
[`ef5b4be`](https://redirect.github.com/cilium/cilium/commit/ef5b4be)
(v1.17)
([#​40745](https://redirect.github.com/cilium/cilium/issues/40745),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.6 (v1.17)
([#​40994](https://redirect.github.com/cilium/cilium/issues/40994),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.33.6-1753919866-df8077dbd3932edccb59f1c5c70e01f2c1f63741 (v1.17)
([#​40903](https://redirect.github.com/cilium/cilium/issues/40903),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40673](https://redirect.github.com/cilium/cilium/issues/40673),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​40904](https://redirect.github.com/cilium/cilium/issues/40904),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.17) (patch)
([#​41057](https://redirect.github.com/cilium/cilium/issues/41057),
[@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- ci: add/change runner labels (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40972](https://redirect.github.com/cilium/cilium/issues/40972),
[@​Artyop](https://redirect.github.com/Artyop))
- cli: Load code owners dynamically via --code-owners (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​38044](https://redirect.github.com/cilium/cilium/issues/38044),
[@​joestringer](https://redirect.github.com/joestringer))
- daemon/test: explicitly wait for identities synchronization (Backport
PR
[#​40849](https://redirect.github.com/cilium/cilium/issues/40849),
Upstream PR
[#​40811](https://redirect.github.com/cilium/cilium/issues/40811),
[@​giorio94](https://redirect.github.com/giorio94))
- doc:monitor: clarify direction traced with default aggregation level
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40398](https://redirect.github.com/cilium/cilium/issues/40398),
[@​smagnani96](https://redirect.github.com/smagnani96))
- docs: Add missing IPAM modes to configuration page (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40540](https://redirect.github.com/cilium/cilium/issues/40540),
[@​RayyanSeliya](https://redirect.github.com/RayyanSeliya))
- docs: Add warning about changing an IP pool (Backport PR
[#​40664](https://redirect.github.com/cilium/cilium/issues/40664),
Upstream PR
[#​40567](https://redirect.github.com/cilium/cilium/issues/40567),
[@​sorrison](https://redirect.github.com/sorrison))
- docs: remove l7 EnableDefaultDeny callout (Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40441](https://redirect.github.com/cilium/cilium/issues/40441),
[@​squeed](https://redirect.github.com/squeed))
- Fix race condition issues (Backport PR
[#​40988](https://redirect.github.com/cilium/cilium/issues/40988),
Upstream PR
[#​40949](https://redirect.github.com/cilium/cilium/issues/40949),
[@​aanm](https://redirect.github.com/aanm))
- Makefile: Fix multi codeowner detection (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40923](https://redirect.github.com/cilium/cilium/issues/40923),
[@​joestringer](https://redirect.github.com/joestringer))
- Makefile: Improve tparse,junit output handling (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​39098](https://redirect.github.com/cilium/cilium/issues/39098),
[@​joestringer](https://redirect.github.com/joestringer))
- Support extending cilium-agent volumes as a downstream packager
(Backport PR
[#​40578](https://redirect.github.com/cilium/cilium/issues/40578),
Upstream PR
[#​40401](https://redirect.github.com/cilium/cilium/issues/40401),
[@​devodev](https://redirect.github.com/devodev))
- tools: Move codeowners library from cilium-cli dir (Backport PR
[#​41014](https://redirect.github.com/cilium/cilium/issues/41014),
Upstream PR
[#​40253](https://redirect.github.com/cilium/cilium/issues/40253),
[@​joestringer](https://redirect.github.com/joestringer))
**Other Changes:**
- Fix bug where LocalRedirectPolicy forwarding would break if you enable
`bpf-lb-algorithm-annotation`
([#​40246](https://redirect.github.com/cilium/cilium/issues/40246),
[@​tarabrind](https://redirect.github.com/tarabrind))
- images: update cilium-{runtime,builder}
([#​40839](https://redirect.github.com/cilium/cilium/issues/40839),
[@​aanm](https://redirect.github.com/aanm))
- install: Update image digests for v1.17.6
([#​40546](https://redirect.github.com/cilium/cilium/issues/40546),
[@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])
- vendor: Bump to StateDB v0.4.5
([#​40850](https://redirect.github.com/cilium/cilium/issues/40850),
[@​joamaki](https://redirect.github.com/joamaki))
##### Docker Manifests
##### cilium
`quay.io/cilium/cilium:v1.17.7@​sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86`
##### clustermesh-apiserver
`quay.io/cilium/clustermesh-apiserver:v1.17.7@​sha256:2852feca0d0d936ed0333cd64859f3c5ece2db582ba5fed848f57aff786be4a6`
##### docker-plugin
`quay.io/cilium/docker-plugin:v1.17.7@​sha256:1b7c8d64f01b309521f13ab2a15239a688b9f545bb97058d383ad3bb55e42e67`
##### hubble-relay
`quay.io/cilium/hubble-relay:v1.17.7@​sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77`
##### operator-alibabacloud
`quay.io/cilium/operator-alibabacloud:v1.17.7@​sha256:271e64d6c91019a1a4815b4c78294962bf51c9f764c680fdfacb2adb6e9d0c4d`
##### operator-aws
`quay.io/cilium/operator-aws:v1.17.7@​sha256:ce37d2ccf921761a4171a507748a06a204592890e6f8cf7d1c354648e098c830`
##### operator-azure
`quay.io/cilium/operator-azure:v1.17.7@​sha256:9c1db11de2e0cdcaba522c8f396b9a643738f3d3f958fa9b4d62f57bac5daafb`
##### operator-generic
`quay.io/cilium/operator-generic:v1.17.7@​sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788`
##### operator
`quay.io/cilium/operator:v1.17.7@​sha256:122e49fce82df90693f8981e5d9013b6a9248284db17226259e39364ba9a211d`
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40NS4wIiwidXBkYXRlZEluVmVyIjoiNDEuODQuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=-->
Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enable the "enable-experimental-lb" by default to start using the new implementation. The experimental nomenclature will be removed in follow-up PRs and by v1.18 release the old control-plane will be removed.
The CiliumEnvoyConfig handling was updated to process listeners separately from the backends to properly handle multiple listeners referring to the same services.