Summary of Changes

Major Changes:

• Add support for multiple gateways to Cilium Egress Gateway. (#39304, @carlos-abad)
• Support IPsec with IPv6 underlay in IPv6-only clusters (#39497, @pchaigno)

Minor Changes:

• Add security context to helm chart (#39205, @Sindvero)
• Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode (#39442, @pippolo84)
• agent: Deprecate --enable-internal-traffic-policy (#39768, @brb)
• agent: Deprecate enable-hubble-recorder-api and friends (#39642, @brb)
• BGP: Add peer auto-discovery using default-gateway mode (#39416, @naveenachyuta)
• clustermesh: add a new MCS-API controller mirroring the local EndpointSlice instead of copying the Service selectors. Cilium MCS-API now support EndpointSlice created outside of Service selectors and it fixes hostname synchronization in the context of MCS-API. (#38596, @MrFreezeex)
• clustermesh: helm option that allows for disabling KVStoreMesh has been deprecated (#39785, @marseel)
• Collect bpf-related metrics using native Go code instead of bpftool. Users should see a significant speedup in /metrics scraping as well as a significant decrease in CPU usage related to bpf metrics collection on both large and small Cilium deployments. (#39557, @ti-mo)
• daemon: Add require-k8s-connectivity flag to enable usage with cloud NLB services (#39434, @ya-makariy)
• Deprecate --enable-recorder (#39585, @brb)
• Deprecate enable-{node-port,host-port,externalips} (#39581, @brb)
• fix: Add support for changing the vxlan tunnel port after initial installation (#38583, @rapour)
• Helm: Add option to define resource limits for cerngen cronjob (#39261, @jcpunk)
• helm: KPR subflag changes (#39721, @brb)
• helm: PodDisruptionBudget can now set unhealthyPodEvictionPolicy (#39299, @jcpunk)
• hubble-cli: new --print-policy-names option to show the names of (C)CNPs that allowed or denied traffic (#39453, @antonipp)
• images: Bump llvm image to 19.1.7 (#39632, @sayboras)
• Implemented optional etcd cache for remote cluster's data in kvstore identity allocation mode. (#39523, @balous)
• Improves performance of the DNS proxy when large numbers of IPs are being cached. (#39340, @squeed)
• Increase the minimum required kernel version to v5.10 / RHEL 8.6. (#38308, @julianwiedmann)
• Introduce a new ip pool mode for BGP router ID allocation so cilium can pick up the router ID from a pool. (#38300, @liyihuang)
• pkg/lb: Add service.node.io/node(-selector) support (#39551, @brb)
• policy: add a new option enable-default-restrict-local-cluster-policy to restrict policies rules to the local cluster in ClusterMesh environment (#39338, @MrFreezeex)
• proxy: Add deprecated warning for proxylib (#39419, @sayboras)
• Remove dependency on /boot/config* and/or /proc/config* for feature detection (#39438, @ti-mo)
• remove deprecated node_connectivity metrics (#39694, @jshr-w)
• Remove stale ingress and egress routing rules after the deletion of an endpoint. (#39734, @pippolo84)
• Revert #36978 (#39333, @brb)
• The deprecated 'enableRuntimeDeviceDetection' helm option has been removed. (#39633, @joamaki)
• The service upsert and delete notifications are no longer shown as part of "cilium-dbg monitor". Instead the changes to service frontends can be monitored for debugging purposes with "cilium-dbg shell -- db/watch frontends". (#39493, @joamaki)
• vendor: Bump gateway-api version to 1.3.0 (#39590, @sayboras)

Bugfixes:

• aws/ENI: Only use pagination when not specifying IDs (#39120, @HadrienPatte)
• bgp: Fix router Stop handling to not affect Graceful Restart (#39835, @rastislavs)
• bpf: Fix Geneve-DSR inconsistency with host-routing off (#37937, @yushoyamaguchi)
• Creating pod with long (>63 characters) serviceaccount name works now (#39552, @marseel)
• Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (#39360, @pasteley)
• Fix data race involving DumpReliablyWithCallback map operation. (#38590, @aditighag)
• Fix handle_policy_egress programs not being cleaned up during endpoint teardown (#39560, @ti-mo)
• Fixed bug where datapath is unable to compile when active connection tracking and IPv6 are enabled at the same time. (#39509, @dylandreimerink)
• Fixes a bug where a CIDRRule of 0.0.0.0/0 would not select all external traffic. (#39693, @squeed)
• gateway-api: Fix parentRefMatched to check Group and Kind (#39275, @syedazeez337)
• gateway-api: Use original source address for GAMMA (#39206, @sayboras)
• helm/hubble: Fix wrong value for metrics server tls existingSecret (#39668, @devodev)
• operator: skip retry of node taint update when node not found (#39517, @jshr-w)
• Persist parent interface index of endpoint across agent restarts (#39575, @dylandreimerink)
• Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (#39511, @jrajahalme)

CI Changes:

• .github: Consistently clean up workers on start (#39644, @joestringer)
• bgp: Component tests enhancements (#39292, @rastislavs)
• bpf: Extend complexity test macros with ENABLE_SERVICE_PROTOCOL_DIFFERENTIATION (#39026, @aditighag)
• bpf: test: clean up dead LB_LOOKUP_SCOPE_INT service entries (#39733, @julianwiedmann)
• bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (#39420, @julianwiedmann)
• bpf: test: install deny-all network policy for LB hairpin tests (#39760, @julianwiedmann)
• bpf:ipsec: extend bpf tests for ipsec_maybe_redirect_to_encrypt (#39623, @smagnani96)
• ci: add actionlint (#39455, @nebril)
• ci: add CRR and baseline performance testing (#39626, @marseel)
• ci: skip tests for markdown files (#39641, @squeed)
• ci: stop using /mnt directory for building images (#39726, @marseel)
• cilium-cli: IPv6 connectivity tests for PodToHostPort (#39666, @gentoo-root)
• cilium-cli: Use v2alpha1 version of CCG for Cilium versions below v1.18 (#39776, @christarazi)
• Disable GitHub workflows on forks (#38791, @ishuar)
• disk-cleanup: Gather more info about usage (#39683, @joestringer)
• feat(connectivity): add network bandwidth management test (#38390, @l1b0k)
• Fix unparallel tests packages list in Makefile (#39250, @pippolo84)
• gh: e2e: enable secondary-network LB testing for all KPR=true configs (#39718, @julianwiedmann)
• gh: eks: restore concurrent execution of connectivity tests (#39673, @julianwiedmann)
• gha/scale-egw: explicitly enable IPv4 masquerade (#39367, @giorio94)
• ipsec: Cover IPv6-only clusters in CI (#39567, @pchaigno)
• ipsec: fix connection disruption issue for ipv6 ipsec upgrade scenarios. (#39061, @ldelossa)
• ipsec: Fix key count in key rotation test (#39512, @pchaigno)
• Miscellaneous improvements to the clustermesh scale test (#39397, @giorio94)
• Remove various remnants of vagrant-based testing (#39659, @tklauser)
• Revert "Disable GitHub workflows on forks" (#39529, @giorio94)
• test/controlplane: Remove load-balancing test cases (#39494, @joamaki)
• test/helpers: remove unused helpers (#39426, @tklauser)
• test/runtime: Remove Chaos and KVStore suites (#39388, @aanm)
• test/runtime: remove RuntimeAgentFQDNPolicies L3-dependent L7/HTTP test (#39630, @tklauser)
• test/runtime: replace RuntimeAgentFQDNPolicies CNAME follow by unit test (#39555, @tklauser)
• test: ginkgo cleanups (#39714, @julianwiedmann)
• test: remove stale warning log exception for legacy BGP (#39759, @julianwiedmann)
• test: Remove vagrant VM provisioning (#39450, @joestringer)
• workflows, docs: Remove useless echo in IPsec key rotation command (#39492, @pchaigno)
• workflows: Add WireGuard in the Conformance Multi-Pool workflow (#39561, @pippolo84)
• workflows: Remove kvstore related configs in conformance-multi-pool (#39754, @pippolo84)
• workflows: Skip code changes as separate step (#39792, @aditighag)

Misc Changes:

• ,github/workflows: remove duplicate yaml keys (#39392, @aanm)
• Add a section to talk about the native routing masquerading in the cloud environment. (#39343, @liyihuang)
• api: wait with api server start until legacy daemon init finished (#39441, @mhofstetter)
• aws/eni: fix typo (#39777, @dwj300)
• bgpv1: Add SourceASN field to Path struct (#39451, @YutaroHayakawa)
• bgpv2: Triggering state reconciliation from config reconciler (#39779, @YutaroHayakawa)
• bpf,nodeport: Fix broken nodeport nat egress hook (#39418, @YutaroHayakawa)
• bpf: add IPv6 mcast addr helpers and cleanup (#39579, @msune)
• bpf: address remaining HAVE_FIB_* usage (#39489, @julianwiedmann)
• bpf: convert IPV4_LOOPBACK to runtime variable, pass IPv4 addresses using union v4addr (#38818, @jrife)
• bpf: egressgw: modernize the FIB-driven redirect path (#39781, @julianwiedmann)
• bpf: fib: stream-line fib_do_redirect() (#39490, @julianwiedmann)
• bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED (#39558, @julianwiedmann)
• bpf: lb: add some test coverage for L4 proto differentiation (#39386, @julianwiedmann)
• bpf: nat: don't check port range for ICMP ECHOs (#39522, @julianwiedmann)
• bpf: nat: don't clamp range of ID field for ICMP ECHO (#39614, @julianwiedmann)
• bpf: nat: handle egressing ICMPv6 error messages with embedded ECHO / ECHO_REPLY (#39661, @julianwiedmann)
• bpf: nat: support egressing ICMPV6_PKT_TOOBIG / ICMPV6_TIME_EXCEED (#39505, @julianwiedmann)
• bpf: nodeport: don't track L2 addr for connection to local backend (v2) (#39640, @julianwiedmann)
• bpf: Skip lxc src IP check for proxy traffic (#39530, @sayboras)
• bpf: Support IPsec over IPv6 underlay (#39620, @pchaigno)
• bpf:trace: pass L3 protocol to send_trace_notify (#39794, @smagnani96)
• bpf:trace: refactor L2/L3 packet check into classifiers (#38723, @smagnani96)
• bpf|loader: keep CFLAGS (CLANG_FLAGS) in sync between loader and BPF unit tests (#39636, @msune)
• bugtool: also collect IPv6 EGW map (#39676, @julianwiedmann)
• bugtool: Include human-readable TTL for conntrack entries. (#39293, @sypakine)
• build(deps): bump jinja2 from 3.1.4 to 3.1.6 in /Documentation (#39399, @dependabot[bot])
• build: fix image dir on make image tag script (#39722, @Artyop)
• cec: fix missing call to injectCiliumEnvoyFilters (#39127, @mhofstetter)
• chore(deps): update all github action dependencies (main) (#39312, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#39460, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#39603, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#39818, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#39597, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#39310, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#39457, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#39624, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#39699, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#39812, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#39353, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#39569, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#39686, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#39814, @cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v31 (main) (#39604, @cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v31.1 (main) (#39815, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (main) (#39308, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 4c0a181 (main) (#39698, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 81bf592 (main) (#39811, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 86b4cff (main) (#39596, @cilium-renovate[bot])
• chore(deps): update docker/dockerfile:1.15 docker digest to 9857836 (main) (#39309, @cilium-renovate[bot])
• chore(deps): update go to v1.24.3 (main) (#39378, @cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v2.1.6 (main) (#39318, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.2-1746405500-3dbb3ba2b440d8822e8b48f0a82261c853410398 (main) (#39323, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.3-1746664032-76b4e6af1377de7c49c97022ba553d5b388f9dae (main) (#39412, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.3-1746785339-971577e505e5640c1642b4167205cfeaf4647ed1 (main) (#39474, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v40 (main) (#39313, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v40.11.2 (main) (#39458, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v40.19.1 (main) (#39598, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v40.36.8 (main) (#39816, @cilium-renovate[bot])
• chore: remove retention-days param in build-images-releases.yaml (#39431, @sekhar-isovalent)
• ci: eks cleanup step fix (#39618, @viktor-kurchenko)
• Cilium helm template preflight daemonset is broken. These changes fix the wrong annotations generation. (#39209, @roman-kiselenko)
• cilium-cli: Capture stderr from tcpdump as an error (#38884, @gentoo-root)
• cilium-cli: Migrate from corev1.Endpoints to discoveryv1.EndpointSlice (#39364, @HadrienPatte)
• cilium-dbg/cmd: migrate to slog (#39643, @aanm)
• cilium: sock termination fixes (#39800, @borkmann)
• ciliumenvoyconfig: fix typo in hive module name (#39424, @mhofstetter)
• cli: Move unexpected packet drops to final test (#39334, @nebril)
• cli: require Cilium v1.14 (#39717, @julianwiedmann)
• cli: Search and print previous logs if failed (#39347, @joestringer)
• clustermesh: Move command to subdirectory (#39348, @joestringer)
• CNP rule redirecting to a named Listener is now ignored on other Listeners. (#39079, @jrajahalme)
• config: Remove dead code for IPsec (#39619, @pchaigno)
• crd: fix double registration of ciliumnodeconfigs (#39542, @marseel)
• daemon/{cmd,k8s,restapi}: migrate to slog (#39501, @aanm)
• daemon: Hide restore option (#39345, @joestringer)
• daemon: migrate to slog (#39634, @aanm)
• datapath/tables: use netip types where possible (#39363, @tklauser)
• datapath: strictly require even more BPF functionality (#39524, @julianwiedmann)
• datapath: strictly require more BPF functionality (#39384, @julianwiedmann)
• datapath: update route and device statedb tables (#39178, @naveenachyuta)
• debuginfo: move debuginfo api handler from daemon to pkg/debug/api (#39357, @mhofstetter)
• deps: bump CNI plugins version (#39285, @ferozsalam)
• docs/ipam: Update IPAM feature compatibility table (#39513, @pippolo84)
• docs: Add documentation for BGP Peer Auto-Discovery (#39645, @naveenachyuta)
• docs: egressgw: various updates (#39613, @julianwiedmann)
• docs: fix minor typo in command output (#39580, @mikejoh)
• docs: kpr: cleanups for session affinity section (#39677, @julianwiedmann)
• docs: kpr: remove references to legacy kernel and K8s versions (#39674, @julianwiedmann)
• docs: Remove references to Vagrant (#39449, @joestringer)
• docs: Revert incompatibility note with Istio (#39503, @aditighag)
• docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (#38886, @auriaave)
• egressgw: fix IPv6 log message (#39326, @julianwiedmann)
• egressgw: reserve space in IPv6 policy entry (#39788, @julianwiedmann)
• egressgw: simplify error handling when selecting egressIP (#38995, @julianwiedmann)
• endpoint: execute Endpoint.writeHeaderFile under lockAlive (#39429, @ti-mo)
• endpoint: extract Endpoint API from daemon (#39014, @mhofstetter)
• endpoint: move ep bpfprog watchdog from daemon to pkg/endpoint/watchdog (#39365, @mhofstetter)
• envoy: expose post function on envoy admin client (#39525, @mhofstetter)
• examples: Bump cilium/starwars to v2.3 (#39447, @joestringer)
• Fix agent graceful shutdown (#39762, @squeed)
• Fix minor typos and wording issues in l2-announcements.rst (#39696, @suchit07-git)
• Fix node linux unit tests (#39272, @pippolo84)
• Fix the message when no nodes are available to be added multicast group. (#38637, @fujitatomoya)
• Fix typo in comment (#39829, @JamesLaverack)
• Fix typo L2_RESPONSER_MAP4_SIZE => L2_RESPONDER_ (#39574, @msune)
• fix(deps): update all go dependencies main (main) (#38865, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#39461, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#39819, @cilium-renovate[bot])
• fix(deps): update kubernetes packages to v0.33.1 (main) (#39602, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.213.0 (main) (#39311, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.217.0 (main) (#39459, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.222.0 (main) (#39700, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.224.0 (main) (#39817, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.10.0 (main) (#39701, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 to v7 (main) (#39820, @cilium-renovate[bot])
• fix(deps): update opentelemetry-go monorepo to v1.36.0 (main) (#39702, @cilium-renovate[bot])
• HELM: Adding Label Support to clustermesh apiserver service (#39520, @camrossi)
• helm: provide option to disable startup- and liveness probes on Envoy (#39527, @mhofstetter)
• hubble: don't log in parser options (#39639, @tklauser)
• hubble: move AssertProtoEqual helper to hubble testutils (#39366, @tklauser)
• hubble: use functional options pattern for SkipUnknownCGroupIDs (#39355, @tklauser)
• hubble: Use testing.T.Context added in Go 1.24 in tests (#39675, @HadrienPatte)
• identity/ipcache: extract identity restoration logic from Daemon (#39456, @mhofstetter)
• install/kubernetes: set file permissions to 644 (#39616, @aanm)
• introduces a new Makefile target kind-ipv6 to create of an IPv6-only kind cluster for Cilium development (#39545, @liyihuang)
• ipcache: Consolidate prefixes from various resources (#39176, @christarazi)
• ipcache: fix possible data race in kvstore synchronizer (#39369, @giorio94)
• k8s: flag --enable-k8s-endpoint-slice has been deprecated (#39769, @marseel)
• k8s: StateDB reflector's TransformMany to return objects to delete (#39330, @joamaki)
• k8s: use netip.Addr some more (#39528, @tklauser)
• kvstoremesh: possibility to enable kvstore heartbeat (#39521, @balous)
• labels: remove unused NewSelectLabelArrayFromModel (#39359, @tklauser)
• LB-IPAM: reduce CPU usage during service creation and release memory when no longer needed (#39278, @dylandreimerink)
• legacy/redirectpolicy: migrate to slog (#39241, @aanm)
• loadbalancer: Add file-based reflector (#39117, @joamaki)
• loadbalancer: Add LBMap pressure metrics (#37881, @joamaki)
• loadbalancer: Add LoadBalancerClass to Service (#39745, @joamaki)
• loadbalancer: Implement UDP socket termination (#39012, @joamaki)
• loadbalancer: Port forwarding mode to new control-plane (#39534, @joamaki)
• loadbalancer: Port proxy delegation to new control-plane (#39532, @joamaki)
• loadbalancer: Port SourceRangesPolicy annotation to new control-plane (#39533, @joamaki)
• loadbalancer: Remove Service.Properties (#39746, @joamaki)
• loadbalancer: Terminating backends fallback for maglev (#39743, @joamaki)
• loadbalancer: use netip.Prefix for Service.SourceRanges (#39427, @tklauser)
• logging: Update klog matching regexp (#39748, @HadrienPatte)
• maglev: Move seeds into maglev.Config (#39258, @joamaki)
• MAINTAINERS: Add Fabio Falzoi (#39625, @gandro)
• Makefile: Fix creating docker builders (#39681, @gentoo-root)
• maps/egressmap: remove leftover fmt (#39692, @aanm)
• metrics: remove unused metrics (#39747, @marseel)
• migrate misc packages to slog (#39663, @aanm)
• Move launcher and eventque to slog (#39132, @aanm)
• Move metrics to slog (#39537, @aanm)
• Move more other various packages to slog (#39243, @aanm)
• Move node to slog (#39147, @aanm)
• Move other various packages to slog (#39165, @aanm)
• Move various packages to slog (#39131, @aanm)
• nodemap: remove v1 map (#38251, @julianwiedmann)
• operator: Explicitly define spire defaults (#39349, @joestringer)
• Optimize the implementation of IPv6 fragments. (#39389, @gentoo-root)
• option: use netip.Prefix for DaemonConfig.ExcludeLocalAddresses (#39387, @tklauser)
• pkg/backoff: migrate to slog (#39130, @aanm)
• pkg/bpf: migrate to slog (#38518, @aanm)
• pkg/controller: migrate to slog (#39464, @aanm)
• pkg/health: migrate to slog (#39465, @aanm)
• pkg/identity: migrate to slog (#39145, @aanm)
• pkg/ipam: Migrate Subnet from net.IPNet to netip.Prefix (#39335, @HadrienPatte)
• pkg/ipcache: migrate to slog (#39463, @aanm)
• pkg/k8s: copy structs from k8s 1.33 (#39168, @aanm)
• pkg/k8s: Synchronize heartbeat goroutine (#39448, @aditighag)
• pkg/loadbalancer/legacy: use logger directly from hive (#39578, @aanm)
• pkg/maps: migrate to slog (#38373, @aanm)
• pkg/nodediscovery: migrate to slog (#39251, @aanm)
• pkg/operator: move to slog (#39466, @aanm)
• pkg/option/resolver: migrate to slog (#39254, @aanm)
• pkg/option: migrate to slog (#39502, @aanm)
• pkg/socketlb: migrate to slog (#39253, @aanm)
• pkg/{mcastmanager,multicast}: migrate to slog (#39255, @aanm)
• plugins: migrate to slog (#39584, @aanm)
• policy: extract namespace only once on repository insert/delete (#39771, @tklauser)
• policy: Remove Redundant Dualstack Identity Insertion (#39471, @nathanjsweet)
• policy: remove unused (*rule).resolve{In,E}gressPolicy return value (#39554, @tklauser)
• Prepare for release v1.18.0-pre.2 (#39283, @cilium-release-bot[bot])
• proxy: use LocalNodeStore to retrieve local node (#39268, @mhofstetter)
• proxy: Use upstream envoy control plane API (#39672, @sayboras)
• ratelimitmap: init maps before metrics collection (#39361, @mhofstetter)
• ReadinessProbe of Hubble-ui no longer produces unnecessary access log entries inside the frontend container. (#38725, @mkilchhofer)
• README: Update releases (#39288, @joestringer)
• README: Update releases (#39565, @thorn3r)
• Remove iproute2 compatibility code from the bpf loader (#39510, @ti-mo)
• Remove remaining references to consul (#39291, @joestringer)
• Renovate fixes (#39270, @chancez)
• renovate: only perform etcd patch version updates in stable branches (#39627, @giorio94)
• Rnat map stale entry cleanup (#39486, @ChinmayaSharma-hue)
• Scalability testing docs (#39171, @marseel)
• StateDB-based K8s fake client object tracker (#39446, @joamaki)
• Support triggering Makefiles from outside the tree (#39344, @joestringer)
• treewide: Remove references to cilium-etcd-operator (#39346, @joestringer)
• Update AUTHORS (#39284, @joestringer)
• update gRPC section to use gPRC status code (#39742, @paularah)
• vendor: Bump Hive and StateDB (#39679, @joamaki)
• Workaround IPv6 underlay checksum issue (#39279, @pchaigno)
• workflows: add RUN_AS_ROOT to build-go-caches workflow (#39763, @aanm)
• workflows: fix lint-workflows (#39398, @aanm)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.0-pre.3@sha256:22214dc8e975071c351a6ddffa833b478b0cd4c20c5dee6d787a734b6b8c971c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.0-pre.3@sha256:56f625a3e36bf6a0fdda5d5c505fb5c9015ba34f81b0a1069b10aa2bd4cd7e09

docker-plugin

quay.io/cilium/docker-plugin:v1.18.0-pre.3@sha256:d7117b299a4fa2b581ffdc6e6c3fe4a734acc2fa1f4a17ee185207d96322bd3d

hubble-relay

quay.io/cilium/hubble-relay:v1.18.0-pre.3@sha256:7f0c1ab7c7470c7242c87f50e8187d769a0de9944a49c72de858199629be521a

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.0-pre.3@sha256:0ea29d5422e4cc4eb86a59f9082832fd08c36c480c52919236f91d1e81b97e7b

operator-aws

quay.io/cilium/operator-aws:v1.18.0-pre.3@sha256:770f2786083549543ad86c09021f8c13eac36d036a84d9f513256be0f7f252c2

operator-azure

quay.io/cilium/operator-azure:v1.18.0-pre.3@sha256:9851b6040cfa49569670301a6aa1b84dd86fb91d69c8d2217b43a2908f2ee12b

operator-generic

quay.io/cilium/operator-generic:v1.18.0-pre.3@sha256:ef714b8b490d8368762bf067ddb037bc13eb4799cbb47b9fa0636af052645c12

operator

quay.io/cilium/operator:v1.18.0-pre.3@sha256:ff600a7756ed1e1a8bb7bf7d6ea84a7db2dda03b38a6ba071ee55f9f97023830