feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) #54

renovate · 2025-07-16T14:05:19Z

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.17.5` -> `1.18.1`

Release Notes

cilium/cilium (cilium)

`v1.18.1`: 1.18.1

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport PR #41078, Upstream PR #41003, @aanm)
eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport PR #40979, Upstream PR #40852, @marseel)
kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport PR #40979, Upstream PR #40920, @marseel)
operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport PR #40847, Upstream PR #40322, @marseel)

Bugfixes:

Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (#41116, @joamaki)
aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR #40979, Upstream PR #40656, @HadrienPatte)
clustermesh: fix regression possibly causing cross-cluster connections disruption if the clustermesh-apiserver is restarted at the same time as Cilium agents. (Backport PR #40979, Upstream PR #40786, @giorio94)
clustermesh: fix regression preventing global services with unnamed ports from including remote backends (Backport PR #40865, Upstream PR #40848, @giorio94)
Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement. (Backport PR #40847, Upstream PR #40791, @christarazi)
Fix skipping of LoadBalancer services when IPMode is not set to VIP (KEP-1860) (Backport PR #40979, Upstream PR #40915, @joamaki)
fix(GH-37724): Sync policies on startup (Backport PR #40847, Upstream PR #40357, @anubhabMajumdar)
fix: create policy snapshot only for sdp (Backport PR #40979, Upstream PR #40785, @vipul-21)
Fixes a bug where the Cilium agent may segfault when starting. (Backport PR #40847, Upstream PR #40824, @squeed)
Fixes an error where the Ingress controller, when run in host network, created an invalid Service. (Backport PR #41078, Upstream PR #40232, @rtheobald)
helm: Create envoy-config ConfigMap for preflight (Backport PR #41078, Upstream PR #40875, @sayboras)
install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR #41078, Upstream PR #41021, @aanm)
loadbalancer: Fix backend state in REST API (Backport PR #40847, Upstream PR #40780, @mhofstetter)

CI Changes:

.github/actions: only upload files with features-tested prefix (Backport PR #40979, Upstream PR #40975, @aanm)
Add TESTOWNERS file (#40864, @joestringer)
ci: Add Cleanup Disk space step into conformance-runtime (Backport PR #40979, Upstream PR #40973, @rastislavs)
ci: Fix CI-Fuzz Build failures (Backport PR #40979, Upstream PR #40728, @lomackie)
ci: Reuse connectivity test flags in proxy-embedded (Backport PR #41078, Upstream PR #41036, @joestringer)
endpoint: Avoid unnecessarily logging a warning during endpoint deletion (Backport PR #40979, Upstream PR #40927, @christarazi)
Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport PR #40847, Upstream PR #40725, @pillai-ashwin)
Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport PR #40847, Upstream PR #40776, @pillai-ashwin)
ipsec: fix privileged tests (Backport PR #41078, Upstream PR #41006, @smagnani96)
tools/testowners: de-duplicate error logs (Backport PR #40847, Upstream PR #40778, @tklauser)
workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade (Backport PR #40979, Upstream PR #40881, @smagnani96)

Misc Changes:

.github/workflows: bump build-images-base timeout to 60 minutes (Backport PR #40979, Upstream PR #40919, @aanm)
.github/workflows: print open file descriptors (Backport PR #40979, Upstream PR #40941, @aanm)
.github: fix removal of all files in /mnt (Backport PR #40847, Upstream PR #40818, @aanm)
.github: remove all contents of /mnt in build images CI (Backport PR #40847, Upstream PR #40814, @aanm)
chore(deps): update actions/download-artifact action to v5 (v1.18) (#41055, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#40901, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41056, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#40900, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18) (#40898, @cilium-renovate[bot])
chore(deps): update go to v1.24.6 (v1.18) (#40993, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#40899, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41054, @cilium-renovate[bot])
ci: add/change runner labels (Backport PR #40979, Upstream PR #40972, @Artyop)
daemon/test: explicitly wait for identities synchronization (Backport PR #40847, Upstream PR #40811, @giorio94)
docs: Remove references to v1.15 (Backport PR #41078, Upstream PR #41033, @joestringer)
Fix loadbalancer handling of backends with ClusterID set (Backport PR #41078, Upstream PR #40968, @giorio94)
Fix race condition issues (Backport PR #40979, Upstream PR #40949, @aanm)
fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (v1.18) (#40793, @cilium-renovate[bot])
loadbalancer: Raise default retry duration to 1 second (Backport PR #41078, Upstream PR #40997, @joamaki)
loadbalancer: Use unique for L3n4Addr (Backport PR #40847, Upstream PR #40633, @joamaki)
Makefile: Fix multi codeowner detection (Backport PR #40847, Upstream PR #40923, @joestringer)
Reduced memory usage by roughly 10% for large EndpointSlices by sharing identical objects. (Backport PR #41078, Upstream PR #40987, @joamaki)
values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater (Backport PR #40847, Upstream PR #40625, @alagoutte)
vendor: Bump to StateDB v0.4.5 (Backport PR #40979, Upstream PR #40783, @joamaki)

Other Changes:

ci: reduce gke failures (#41070, @brlbil)
install: Update image digests for v1.18.0 (#40782, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.1@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb
quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb

docker-plugin

quay.io/cilium/docker-plugin:v1.18.1@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3
quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3

hubble-relay

quay.io/cilium/hubble-relay:v1.18.1@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0
quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.1@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a
quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a

operator-aws

quay.io/cilium/operator-aws:v1.18.1@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042
quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042

operator-azure

quay.io/cilium/operator-azure:v1.18.1@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06
quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06

operator-generic

quay.io/cilium/operator-generic:v1.18.1@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc
quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc

operator

quay.io/cilium/operator:v1.18.1@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e
quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e

`v1.18.0`: 1.18.0

Compare Source

We are excited to announce the Cilium 1.18.0 release!

A total of 3298 new commits have been contributed to this release by a growing community of over 955 developers and over 22,000 GitHub stars! ⭐

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.18.0:

🚠 Networking

⚖️ Load Balancing Redesign: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features (cilium/cilium#38469, @joamaki)
🔌 Virtual Network Devices: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels (cilium/cilium#37723, @ldelossa; cilium/cilium#37346, @gyutaeb)
Ⓜ️ Multiple Egress Gateways: Egress Gateways policies can now direct traffic towards multiple gateway nodes (cilium/cilium#39304, @carlos-abad)
🚦 Ingress Rate Limiting: The bandwidth manager now supports ingress rate limiting (cilium/cilium#36351, @l1b0k)
📢 Multi-Device L2 Announcements: The L2 pod announcement feature now supports multiple devices (cilium/cilium#38198, @dylandreimerink)
🏢 Neighbor Subsystem Rework: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state (cilium/cilium#39987, @dylandreimerink)

🌐 IPv6

🚇 Tunneling Underlay: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption (cilium/cilium#38296, cilium/cilium#39497, @pchaigno)
💬 Kube Proxy Replacement: Cilium now implements service translation when running on an IPv6 underlay (cilium/cilium#39074, @pchaigno)
📋 Delegated IPAM: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 (cilium/cilium#38249, @caorui-io, @kadevu)
📦 IP Fragment Support: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality (cilium/cilium#38110, @gentoo-root)
🚪 Egress gateway policies can now match IPv6 address ranges (cilium/cilium#38452, @rgo3)

🛡️ Policy & Observability

🏷️ Policy Names in Hubble-CLI: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble (cilium/cilium#39453, @antonipp)
📝 Policy Log Fields: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching (cilium/cilium#39902, @squeed)
🛰️ Encapsulated Traffic Decoding: Hubble decodes encapsulated traffic for deeper introspection into traffic flows (cilium/cilium#37634, @kaworu)
🏰 ClusterMesh Policy Restriction: A new option allows the cluster entity to apply only to the local cluster in ClusterMesh environment (cilium/cilium#39338, @MrFreezeex)
✨ Enhanced Policy Dashboard: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions (cilium/cilium#36492, cilium/cilium#37445, @squeed)

🌅 Performance

📊 Scale Test Results: Cilium implements policies and services up to 45% faster in higher scale environments (Various; @marseel, cilium/cilium#40227)
📦 Image Size Reduction: Docker image sizes are reduced by 32% on arm64 architecture images (cilium/cilium#40005, @marseel)
⚡ Improved Policy Performance: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized (cilium/cilium#39340, @squeed; cilium/cilium#40414, @marseel)
🪞 EndpointSlice Mirroring for Multi-Cluster Services: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller (cilium/cilium#38596, @MrFreezeex)
🌐 KVStoreMesh Optimization: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value (cilium/cilium#36471, @HadrienPatte)
🧠 Egress Gateway Processing: Egress gateway policy processing is significantly improved when matching a large number of pods (cilium/cilium#37714, @giorio94)
🗑️ Optimized Garbage Collection for Connection Tracking: Cilium leverages batched iterators for CTMap GC (cilium/cilium#36288, @tommyp1ckles)

⚙️ Operations

📈 API Server Connections at Scale: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations (cilium/cilium#37601, @aditighag; cilium/cilium#38031, @orange30; cilium/cilium#36648, @wedaly)
🔄 ConfigMap Synchronization: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration (cilium/cilium#36510, @ovidiutirla)
🎓 CRD Promotion to Stable: Promote CiliumCIDRGroup, CiliumLoadBalancerIPPool and all BGP CRDs to stable API (cilium/cilium#38940, @christarazi; cilium/cilium#39090, @pippolo84; cilium/cilium#37765, @rastislavs)
⛔ Node Taints Handling: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node (cilium/cilium#40137, @Murat Parlakisik)
🪵 Migrate to Slog: Cilium now uses slog as log library for all components (cilium/cilium#39664, @aanm)
🔧 Cilium dependencies were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 (cilium/cilium#39124, cilium/cilium#40175, cilium/cilium#39632, @sayboras; cilium/cilium#38868, @squeed)
🐧 Minimum Linux Requirements: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 (cilium/cilium#38308, @julianwiedmann)

🕸️ Service Mesh & Gateway API

⛩️ Gateway API v1.3.0: Gateway API support is bumped to v1.3.0 (cilium/cilium#39590, @sayboras)
🔗 Improved GatewayClass Configuration: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations (cilium/cilium#37792, cilium/cilium#37402, cilium/cilium#40138, @sayboras)
🚏 Multiple HTTPRoutes: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service (cilium/cilium#39922, @youngnick)
🪄 Route Changes Reconciliation: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things (cilium/cilium#37798, @sayboras)

🏷️ IP Address Management

☁️ AWS Prefix Delegation: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode (cilium/cilium#39678, @41ks)
🏬 Multi-Pool IPAM with KVStore: Add support for Multi-Pool IPAM in external KVstore mode (cilium/cilium#39638, @pippolo84)
🔐 Multi-Pool IPAM with IPSec: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode (cilium/cilium#39442, @pippolo84)
↪️ Multi-Pool Tunnel Routing: Add support for tunnel routing in multi-pool IPAM mode (cilium/cilium#38483, @pippolo84)

🛣️ BGP

📇 Route Aggregation: Add support for BGP route aggregation in the control plane (cilium/cilium#37275, @romanspb80)
🎯 Overlapping Selector Matches: Support overlapping selector matches in CiliumBGPAdvertisement resources (cilium/cilium#36414, @dswaffordcw)
🆔 New Router ID generation modes: Generate router-id based on MAC addresses, or from an IP address pool (cilium/cilium#36451, @yushoyamaguchi; cilium/cilium#38300, @liyihuang)

🧑‍💻 Development Experience

🧪 Test attribution: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems (cilium/cilium#37027, @Joe Stringer)
🛏️ Policy REST API: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred (cilium/cilium#40212, @squeed)
🏗️ Feature Deprecation: Deprecate underused features like Custom Calls, Recorder API and External Workloads (cilium/cilium#38480, cilium/cilium#39642, cilium/cilium#37418, @brb)

🏢 Community

❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
- ByteDance, Canopus Networks, Corner Banca, DB Schenker, eBay, ECCO, G-Research, Social Network Company, and Preferred Networks
🇬🇧 London Events: The community gathered at CiliumCon and the Cilium Developer Summit in London
🇺🇸 Atlanta Events: Meet us at the upcoming CiliumCon and Cilium Developers Summit in Atlanta, Georgia
👥 SIG Community Meetings: SIG Community now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community

📔 Full CHANGELOG

Full CHANGELOG.md can be found here.

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ 🧑‍🤝‍🧑 ❤️

`v1.17.7`: 1.17.7

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport PR #41074, Upstream PR #41003, @aanm)

Bugfixes:

Added cleanup of deprecated cilium_policy_v1 maps (Backport PR #40578, Upstream PR #39400, @pasteley)
bgp: Use private fork of the GoBGP to fix BGP MD5 auth (Backport PR #40578, Upstream PR #40566, @YutaroHayakawa)
bpf/nat: fix header offset while reverse nat-ing icmp6 pkt too big. (Backport PR #40387, Upstream PR #40002, @tommyp1ckles)
Enable protocol differentiation by default on the operator, matching the agent (#40643, @dylandreimerink)
Fix a bug where Cilium leaks stale routes when IPsec is enabled. (Backport PR #40664, Upstream PR #40653, @pippolo84)
fix(helm): fix values.schema.json types for bpf.events.default.{rateLimit,burstLimit} (Backport PR #40578, Upstream PR #40543, @vchirikov)
fix: kube-proxy healthz panic on port 10256 (#40590, @tamilmani1989)
Helm: Correct seccompProfile for cilium-agent pods (Backport PR #40578, Upstream PR #40476, @jcpunk)
install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR #41074, Upstream PR #41021, @aanm)
pkg/ipam: fix multi-pool allocator not releasing un-used /32 and /128 CIDRs (Backport PR #40578, Upstream PR #40393, @alimehrabikoshki)
service: Only set algorithm annotation when requested (#40845, @tsotne95)

CI Changes:

.github/actions: only upload files with features-tested prefix (Backport PR #40988, Upstream PR #40975, @aanm)
.github: Don't overwrite junit results (Backport PR #41014, Upstream PR #39159, @joestringer)
.github: Run final steps when tests aren't skipped (Backport PR #41014, Upstream PR #40180, @joestringer)
[v1.17] .github: Remove use of cosign attest --recursive (#40699, @YutaroHayakawa)
[v1.17] ci: Revert build_commits runner to ubuntu-22.04 (#40837, @rastislavs)
builder: Add tparse,junit tooling (Backport PR #41014, Upstream PR #39092, @joestringer)
Centralize dynamic test ownership configuration (Backport PR #41014, Upstream PR #38045, @joestringer)
ci: conformance-eks token extended to 8h (Backport PR #40578, Upstream PR #40474, @mathpl)
ci: more powerful runners for go linting (Backport PR #40765, Upstream PR #40582, @mathpl)
CLI: Attribute tests to codeowners (Backport PR #41014, Upstream PR #37027, @joestringer)
Emit junit output from BPF unit tests (Backport PR #41014, Upstream PR #39099, @joestringer)
Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport PR #40849, Upstream PR #40725, @pillai-ashwin)
Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport PR #41014, Upstream PR #40776, @pillai-ashwin)
pkg/egw: Add missing waitForReconciliationRun (Backport PR #40578, Upstream PR #40355, @aditighag)
spire: Fix unreliable test (Backport PR #40664, Upstream PR #40561, @joestringer)
tools/testowners: de-duplicate error logs (Backport PR #41074, Upstream PR #40778, @tklauser)
Upload junit results for Go unit test runs (Backport PR #41014, Upstream PR #39015, @joestringer)

Misc Changes:

.github/workflows: bump build-images-base timeout to 60 minutes (Backport PR #40988, Upstream PR #40919, @aanm)
.github: fix removal of all files in /mnt (Backport PR #40849, Upstream PR #40818, @aanm)
.github: fix upload artifacts for features.json (#41091, @aanm)
.github: remove all contents of /mnt in build images CI (Backport PR #40849, Upstream PR #40814, @aanm)
.github: remove stable tag from v1.17 branches (#40772, @aanm)
certloader: Add client variants of watched TLS configs (Backport PR #40624, Upstream PR #40399, @devodev)
chore(deps): update actions/download-artifact action to v5 (v1.17) (#41058, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#40746, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#40905, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#41059, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40744, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40984, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.17) (#40902, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.26 (v1.17) (#40646, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.5 docker digest to ef5b4be (v1.17) (#40745, @cilium-renovate[bot])
chore(deps): update go to v1.24.6 (v1.17) (#40994, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.6-1753919866-df8077dbd3932edccb59f1c5c70e01f2c1f63741 (v1.17) (#40903, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#40673, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#40904, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#41057, @cilium-renovate[bot])
ci: add/change runner labels (Backport PR #40988, Upstream PR #40972, @Artyop)
cli: Load code owners dynamically via --code-owners (Backport PR #41014, Upstream PR #38044, @joestringer)
daemon/test: explicitly wait for identities synchronization (Backport PR #40849, Upstream PR #40811, @giorio94)
doc:monitor: clarify direction traced with default aggregation level (Backport PR #40578, Upstream PR #40398, @smagnani96)
docs: Add missing IPAM modes to configuration page (Backport PR #40664, Upstream PR #40540, @RayyanSeliya)
docs: Add warning about changing an IP pool (Backport PR #40664, Upstream PR #40567, @sorrison)
docs: remove l7 EnableDefaultDeny callout (Backport PR #40578, Upstream PR #40441, @squeed)
Fix race condition issues (Backport PR #40988, Upstream PR #40949, @aanm)
Makefile: Fix multi codeowner detection (Backport PR #41014, Upstream PR #40923, @joestringer)
Makefile: Improve tparse,junit output handling (Backport PR #41014, Upstream PR #39098, @joestringer)
Support extending cilium-agent volumes as a downstream packager (Backport PR #40578, Upstream PR #40401, @devodev)
tools: Move codeowners library from cilium-cli dir (Backport PR #41014, Upstream PR #40253, @joestringer)

Other Changes:

Fix bug where LocalRedirectPolicy forwarding would break if you enable bpf-lb-algorithm-annotation (#40246, @tarabrind)
images: update cilium-{runtime,builder} (#40839, @aanm)
install: Update image digests for v1.17.6 (#40546, @cilium-release-bot[bot])
vendor: Bump to StateDB v0.4.5 (#40850, @joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.7@sha256:2852feca0d0d936ed0333cd64859f3c5ece2db582ba5fed848f57aff786be4a6

docker-plugin

quay.io/cilium/docker-plugin:v1.17.7@sha256:1b7c8d64f01b309521f13ab2a15239a688b9f545bb97058d383ad3bb55e42e67

hubble-relay

quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.7@sha256:271e64d6c91019a1a4815b4c78294962bf51c9f764c680fdfacb2adb6e9d0c4d

operator-aws

quay.io/cilium/operator-aws:v1.17.7@sha256:ce37d2ccf921761a4171a507748a06a204592890e6f8cf7d1c354648e098c830

operator-azure

quay.io/cilium/operator-azure:v1.17.7@sha256:9c1db11de2e0cdcaba522c8f396b9a643738f3d3f958fa9b4d62f57bac5daafb

operator-generic

quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788

operator

quay.io/cilium/operator:v1.17.7@sha256:122e49fce82df90693f8981e5d9013b6a9248284db17226259e39364ba9a211d

`v1.17.6`: 1.17.6

Compare Source

Summary of Changes

Minor Changes:

helm: KPR subflag changes (Backport PR #40222, Upstream PR #39721, @brb)

Bugfixes:

Deny policies are now synced to Envoy so that they can be enforced for Ingress policies. (Backport PR #40187, Upstream PR #39736, @jrajahalme)
Do not fail the agent startup in case IPv6 support is enabled and the node does not have an IPv6 address assigned yet (Backport PR #40205, Upstream PR #40143, @pippolo84)
Fix bug preventing a global service from including remote backends, if the local service has no selector, and the remote one gets removed and then added again. (#40361, @giorio94)
Fix data race involving DumpReliablyWithCallback map operation. (Backport PR #40094, Upstream PR #38590, @aditighag)
Fix IPAM IP release racing condition when IP reassigned back to ENI (Backport PR #40289, Upstream PR #40019, @victorcq)
hubble automatically pick the hubble-prefer-ipv6 to true if ipv4 not enabled (Backport PR #40289, Upstream PR #40210, @chengjoey)
LBIPAM: Fix deletion of CiliumLoadBalancerIPPool with multiple IP blocks that led to an operator crash (Backport PR #40094, Upstream PR #40013, @pippolo84)
pkg/egressgateway: ensure gateway IP is IPv4 (Backport PR #40332, Upstream PR #40209, @rgo3)
policy: fix error handling for selector policy resolution (#40404, @fristonio)

CI Changes:

ci: do not run north-south conn disrupt tests for 5.4 kernels (#39443, @ldelossa)
ci: fix north-south conn disrupt for 5.4 kernel (#40434, @smagnani96)

Misc Changes:

.github/workflows: remove reviewers if ciliumbot approved PR (Backport PR #40094, Upstream PR #39989, @aanm)
auto-approve: add repository as part command (Backport PR #40094, Upstream PR #40050, @aanm)
auto-approve: add repository as part command (Backport PR [#&feat(container): update image docker.io/getmeili/meilisearch ( v1.15.2 → v1.19.0 ) #82

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-07-16T14:06:02Z

--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: kube-system
-      version: 1.17.5
+      version: 1.17.6
   install:
     remediation:
       retries: -1
   interval: 1h
   upgrade:
     cleanupOnFail: true

github-actions · 2025-07-16T14:06:05Z

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -27,13 +27,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -189,13 +189,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -214,13 +214,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -246,13 +246,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -276,13 +276,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -292,13 +292,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -340,13 +340,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -29,13 +29,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-envoy
-        image: quay.io/cilium/cilium-envoy:v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626@sha256:9f69e290a7ea3d4edf9192acd81694089af048ae0d8a67fb63bd62dc1d72203e
+        image: quay.io/cilium/cilium-envoy:v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68@sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
         - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -29,13 +29,13 @@

         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.5@sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e
+        image: quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)

fix(helm): update chart cilium ( 1.17.5 → 1.17.6 )

aa02edf

renovate bot requested a review from zocimek as a code owner July 16, 2025 14:05

renovate bot added renovate/helm type/patch labels Jul 16, 2025

github-actions bot added the area/kubernetes label Jul 16, 2025

renovate bot changed the title ~~fix(helm): update chart cilium ( 1.17.5 → 1.17.6 )~~ feat(helm): update chart cilium ( 1.17.5 → 1.18.0 ) Jul 29, 2025

renovate bot changed the title ~~feat(helm): update chart cilium ( 1.17.5 → 1.18.0 )~~ feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) Aug 15, 2025

zocimek merged commit 84668ec into main Aug 25, 2025
6 checks passed

zocimek deleted the renovate/cilium-1.x branch August 25, 2025 13:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) #54

feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) #54

Uh oh!

renovate bot commented Jul 16, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jul 16, 2025

Uh oh!

github-actions bot commented Jul 16, 2025

Uh oh!

Uh oh!

Uh oh!

feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) #54

feat(helm): update chart cilium ( 1.17.5 → 1.18.1 ) #54

Uh oh!

Conversation

renovate bot commented Jul 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v1.18.1: 1.18.1

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.0: 1.18.0

🚠 Networking

🌐 IPv6

🛡️ Policy & Observability

🌅 Performance

⚙️ Operations

🕸️ Service Mesh & Gateway API

🏷️ IP Address Management

🛣️ BGP

🧑‍💻 Development Experience

🏢 Community

📔 Full CHANGELOG

v1.17.7: 1.17.7

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.17.6: 1.17.6

Summary of Changes

Configuration

Uh oh!

github-actions bot commented Jul 16, 2025

Uh oh!

github-actions bot commented Jul 16, 2025

Uh oh!

Uh oh!

Uh oh!

renovate bot commented Jul 16, 2025 •

edited

Loading

`v1.18.1`: 1.18.1

`v1.18.0`: 1.18.0

`v1.17.7`: 1.17.7

`v1.17.6`: 1.17.6