chore(deps): update helm release cilium to v1.19.2 #16

Open

renovate wants to merge 1 commit from renovate/cilium-1.x into main

pull from: renovate/cilium-1.x

merge into: wheatley:main

wheatley:main

wheatley:pgi-add-workflow

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate commented 2026-02-10 01:06:05 +01:00

Collaborator

Copy link

This PR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	minor	1.18.6 → 1.19.2

---

Release Notes

cilium/cilium (cilium)

v1.19.2: 1.19.2

Compare Source

Summary of Changes

Minor Changes:

• ztunnel/helm: move ztunnel daemonset management from operator to helm (Backport PR #​44593, Upstream PR #​43763, @​nddq)

Bugfixes:

• Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (Backport PR #​44699, Upstream PR #​43928, @​dylandreimerink)
• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44760, Upstream PR #​44658, @​smagnani96)
• cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44517, Upstream PR #​44443, @​aanm)
• clustermesh: fix a few minor typo/issues in the MCS-API documentation (Backport PR #​44398, Upstream PR #​44299, @​MrFreezeex)
• clustermesh: fix a goroutine leak related to EndpointSliceSync when removing cluster (Backport PR #​44517, Upstream PR #​44444, @​MrFreezeex)
• clustermesh: fix a race condition where EndpointSlices created just before a cluster is removed could be left uncleaned (Backport PR #​44517, Upstream PR #​44503, @​MrFreezeex)
• Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44496, Upstream PR #​44209, @​dylandreimerink)
• Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44593, Upstream PR #​44540, @​tklauser)
• Fix bug where more Helm options were gated by loadbalancer option than intended (Backport PR #​44699, Upstream PR #​42916, @​mliner)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44593, Upstream PR #​44512, @​0xch4z)
• Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (Backport PR #​44699, Upstream PR #​44335, @​daanvinken)
• Fix tearing down wrong pod's veth in aws-cni chaining when using deterministic pod names (Backport PR #​44517, Upstream PR #​44494, @​aanm)
• Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR #​44398, Upstream PR #​43902, @​Aman-Cool)
• Fixed a bug where bandwidth priority updates were not applied when only the priority annotation was changed on a Pod. (Backport PR #​44517, Upstream PR #​44329, @​zbb88888)
• Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44517, Upstream PR #​44462, @​liyihuang)
• Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44699, Upstream PR #​44513, @​akos011221)
• gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44517, Upstream PR #​44492, @​youngnick)
• gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon. (Backport PR #​44517, Upstream PR #​44397, @​youngnick)
• Grant permissions to the cilium-operator so that it can reconcile ServiceImport when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44517, Upstream PR #​44458, @​MrFreezeex)
• helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (Backport PR #​44593, Upstream PR #​44196, @​nddq)
• ingress: Ensure that the shared ingress exposes port 443 so that it can pass upstream loadbalancer health checks. (Backport PR #​44517, Upstream PR #​44229, @​xtineskim)
• ipam: Fix concurrent map access to multipool map (Backport PR #​44517, Upstream PR #​44150, @​christarazi)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44800, Upstream PR #​44693, @​smagnani96)
• loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44398, Upstream PR #​44286, @​mhofstetter)
• policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks (Backport PR #​44418, Upstream PR #​43917, @​TheBeeZee)

CI Changes:

• .github/workflows: eks-cluster-pool-manager: fix race condition and c… (Backport PR #​44398, Upstream PR #​44283, @​aanm)
• ci: add k8s 1.35 for AKS (Backport PR #​44699, Upstream PR #​44550, @​Artyop)
• ci: add k8s 1.35 for gke tests (Backport PR #​44699, Upstream PR #​44549, @​Artyop)
• ci: k8s 1.35 to EKS matrix (Backport PR #​44517, Upstream PR #​44403, @​Artyop)
• ci: reduce number of k8s versions tested on EKS (Backport PR #​44517, Upstream PR #​44426, @​Artyop)
• docs: Bump k8s compat version (Backport PR #​44593, Upstream PR #​44516, @​joestringer)
• gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #​44517, Upstream PR #​44381, @​julianwiedmann)
• test/helpers: ignore error creating lease lock message (Backport PR #​44398, Upstream PR #​44282, @​aanm)

Misc Changes:

• [v1.19] fix: add Documentation/cmdref/cilium-dbg_policy_subject-selectors.md (#​44644, @​jingyuanliang)
• Added circuit breaker configuration (max connections, requests, and retries) for Cilium Envoy ingress, egress, and external envoy. (Backport PR #​44699, Upstream PR #​44195, @​liyihuang)
• bgp: Clean up unused RouteReflector and improve GoBGP test commands (Backport PR #​44632, Upstream PR #​44074, @​liyihuang)
• bgp: Introduce bgp/peers Hive Shell command (Backport PR #​44517, Upstream PR #​44067, @​YutaroHayakawa)
• bgp: Introduce bgp/routes Hive Shell command (Backport PR #​44517, Upstream PR #​44220, @​YutaroHayakawa)
• bgp: Make the BGP instance name retrievable from GoBGP (Backport PR #​44517, Upstream PR #​44024, @​YutaroHayakawa)
• chore(deps): update all github action dependencies (v1.19) (#​44475, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​44572, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​44673, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​44788, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​44573, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44574, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44668, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.19) (#​44568, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.19) (#​44671, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.19) (#​44472, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1772889061-409b87726267dd621aab2cc455bad504fa5006d0 (v1.19) (#​44669, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.19) (#​44723, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.19) (#​44787, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​44473, @​cilium-renovate[bot])
• contrib: Auto-find source files in check-source-info.sh (Backport PR #​44628, Upstream PR #​44506, @​YutaroHayakawa)
• contrib: Minor cleanups for check-source-info.sh (Backport PR #​44628, Upstream PR #​44431, @​YutaroHayakawa)
• docs(ztunnel): fix some typo (Backport PR #​44398, Upstream PR #​44294, @​alagoutte)
• docs: add policy language chapter headline (Backport PR #​44398, Upstream PR #​44204, @​orangecms)
• docs: Fix duplicate --version in Helm OCI install/upgrade documentation examples. (Backport PR #​44398, Upstream PR #​44380, @​gma1k)
• docs: Fix some "parsed-literal" blocks (Backport PR #​44517, Upstream PR #​44385, @​qmonnet)
• Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #​44398, Upstream PR #​44302, @​darox)
• docs: Point to cilium.io for community blogs (Backport PR #​44517, Upstream PR #​44420, @​qmonnet)
• fix(deps): update all-dependencies (v1.19) (#​44471, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable (v1.19) (#​44474, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to 0f775a3 (v1.19) (#​44570, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.35.2 (v1.19) (patch) (#​44571, @​cilium-renovate[bot])
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 (v1.19) (#​44670, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 15301c2 (v1.19) (#​44785, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 6a4a49e (v1.19) (#​44672, @​cilium-renovate[bot])
• fix: helm value rendering bug for operator.unmanagedPodWatcher.intervalSeconds (Backport PR #​44517, Upstream PR #​44211, @​jayl1e)
• k8s/client/fake: let update operations respect resource versioning (Backport PR #​44398, Upstream PR #​44264, @​giorio94)
• loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR #​44517, Upstream PR #​44323, @​mhofstetter)
• test: fix goleak check in combination with script tests (Backport PR #​44398, Upstream PR #​44228, @​giorio94)

Other Changes:

• [v1.19] ipam: Use existing mutex for multipool capacity synchronization (#​44777, @​christarazi)
• install: Update image digests for v1.19.1 (#​44410, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.2@​sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.2@​sha256:d1f44a78a0d0996ab1841f7564bc6fbd6e242d4ef673a2a8bfdd7385ef68018d

docker-plugin

quay.io/cilium/docker-plugin:v1.19.2@​sha256:1ba743852ab063d83955c3917d75b2d296ff78d944d09fc1802f85f07ebee334

hubble-relay

quay.io/cilium/hubble-relay:v1.19.2@​sha256:9987c73bad48c987fd065185535fd15a6717cbe8a8caf7fc7ef0413532cf490e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.2@​sha256:90bdedf6b0d3108245f8194f8c69262af2c8d839480f99d2396deed057899142

operator-aws

quay.io/cilium/operator-aws:v1.19.2@​sha256:6eaa299ad267d7b8fcb4bb17ee1008b391052e2e35f690b21783b1b23b5c0bf2

operator-azure

quay.io/cilium/operator-azure:v1.19.2@​sha256:9c040a57f4584782eda9a91f7cf3292ca5d0fb41d75f4aa41ece29d66e145293

operator-generic

quay.io/cilium/operator-generic:v1.19.2@​sha256:e363f4f634c2a66a36e01618734ea17e7b541b949b9a5632f9c180ab16de23f0

operator

quay.io/cilium/operator:v1.19.2@​sha256:56ea76f4c1dfc8a899581b35bb2fc87b3110ee57ff0ab4003ae26d5a27d81448

v1.19.1: 1.19.1

Compare Source

Summary of Changes

Bugfixes:

• clustermesh: fix CRD update permission for MCS-API CRD install (Backport PR #​44280, Upstream PR #​44224, @​Preisschild)
• Fix panic during datapath reinitialization if DirectRouting device is required but missing (Backport PR #​44280, Upstream PR #​44219, @​fristonio)
• helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44280, Upstream PR #​44159, @​puwun)
• Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44280, Upstream PR #​43517, @​pasteley)

CI Changes:

• ci: e2e: add kernel to workflow job names (Backport PR #​44127, Upstream PR #​44291, @​smagnani96)
• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44147, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44147, Upstream PR #​44115, @​julianwiedmann)

Misc Changes:

• chore(deps): update all github action dependencies (v1.19) (#​44248, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​44368, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​44363, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44247, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.19) (#​44343, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.19) (#​44400, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.19) (#​44242, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.7 docker digest to 85c0ab0 (v1.19) (#​44364, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.19) (#​44243, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.19) (#​44365, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260206102632-39e3d06a2850 (v1.19) (#​44244, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.19) (#​44245, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.19) (#​44262, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.19) (#​44366, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​44246, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​44367, @​cilium-renovate[bot])
• ci: e2e: improve GitHub action readability (Backport PR #​44127, Upstream PR #​44126, @​smagnani96)
• docs: Update docsearch to v4.5.4 (Backport PR #​44272, Upstream PR #​44233, @​joestringer)
• endpoint/watchdog: fetch all endpoints without programs loaded (Backport PR #​44280, Upstream PR #​44111, @​mhofstetter)
• gateway-apis: Correct supported versions in docs (#​44217, @​youngnick)
• Policy Tiers: feature-flagging, add fuzzer, fix corner cases (Backport PR #​44267, Upstream PR #​43893, @​jrajahalme)
• Policy: Fix rule origin for ordered policies (Backport PR #​44280, Upstream PR #​44178, @​jrajahalme)

Other Changes:

• install: Update image digests for v1.19.0 (#​44172, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.1@​sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.1@​sha256:56d6c3dc13b50126b80ecb571707a0ea97f6db694182b9d61efd386d04e5bb28

docker-plugin

quay.io/cilium/docker-plugin:v1.19.1@​sha256:6edfbf46ca484b1ed961f3c7382159ba7f0227e7af692159e99e8d4810ecaf34

hubble-relay

quay.io/cilium/hubble-relay:v1.19.1@​sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.1@​sha256:837b12f4239e88ea5b4b5708ab982c319a94ee05edaecaafe5fd0e5b1962f554

operator-aws

quay.io/cilium/operator-aws:v1.19.1@​sha256:18913d05a6c4d205f0b7126c4723bb9ccbd4dc24403da46ed0f9f4bf2a142804

operator-azure

quay.io/cilium/operator-azure:v1.19.1@​sha256:82bce78603056e709d4c4e9f9ebb25c222c36d8a07f8c05381c2372d9078eca8

operator-generic

quay.io/cilium/operator-generic:v1.19.1@​sha256:e7278d763e448bf6c184b0682cf98cdca078d58a27e1b2f3c906792670aa211a

operator

quay.io/cilium/operator:v1.19.1@​sha256:93a6306d4543f1d8eccd79d6770c00ef4d4791f66326d97f9851f9d316e70141

v1.19.0: 1.19.0

Compare Source

🎉 Release Announcement 🎉: We are excited to announce the Cilium 1.19.0 release!

A total of 2934 new commits have been contributed to this release by a growing community of over 1010 developers and over 23,600 GitHub stars! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the Upgrade Guide for more details.

The full changelog can be found here.

Here are some of the highlights:

• 🛡️ Network Policy

  • 🃏 Multi-Level DNS Matches: DNS Policies match pattern now support a wildcard prefix(**.) to match multilevel subdomain as pattern prefix. (cilium/cilium#43420, @​fristonio)
  • 📡 Match New Protocols: You can now match VRRP and IGMP protocols in host firewall rules. (cilium/cilium#39872, @​aditighag; cilium/cilium#41949, @​kyounghunJang)
  • ⛔ Actively Deny Connections: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. (cilium/cilium#41406, @​antonipp)
  • 🌐 Select Clusters Explicitly: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. (cilium/cilium#40609, @​MrFreezeex)
  • 🔧 Unlock Future Work: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release (cilium/cilium#39906, @​vipul-21; cilium/cilium#42784, cilium/cilium#42896, @​jrajahalme)
  • ⚠️ Deprecate underutilized features: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the ToRequires and FromRequires policy fields. (cilium/cilium#43167, @​sayboras; cilium/cilium#40967, @​TheBeeZee)

• 🔒 Encryption & Authentication

  • 🔐 Encryption Strict Modes: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. (cilium/cilium#39239, cilium/cilium#42115, @​rgo3, @​julianwiedmann)
  • 🚇 Ztunnel Beta: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. (cilium/cilium#42766, cilium/cilium#42819, cilium/cilium#43227 and others, @​ldelossa, @​rgo3, @​nddq)
  • 👥 Mutual Authentication: The out-of-band Mutual Authentication feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. (cilium/cilium#42665, @​christarazi)
  • ↪️ Accelerate IPsec: The IPsec encryption mode now supports BPF Host Routing for faster route lookups (cilium/cilium#41997, @​pchaigno)

• 🚠 Networking

  • 🚀 BIG TCP in Tunnels: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. (cilium/cilium#43416, @​gentoo-root)
  • 🥌 Packetization-Layer Path MTU Discovery: Detect maximum transmission unit (MTU) sizes for network paths using TCP. (cilium/cilium#42012, cilium/cilium#43710, @​tommyp1ckles)
  • 🚆 IPv6 Underlay: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. (cilium/cilium#40324, @​pchaigno)
  • 🏷️ Multi-Pool IPAM is ready for wider use: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. (cilium/cilium#40460, cilium/cilium#42191, @​pippolo84)
  • 🎭 More Configurable Masquerade: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade (cilium/cilium#37568, @​behzad-mir; cilium/cilium#43380, @​alimehrabikoshki)

• 🕸️ Services and Service Mesh

  • 📣 Layer-2 Announcements: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. (cilium/cilium#39648, @​msune)
  • 🔁 IPv6 Service Loopback: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. (cilium/cilium#39594, @​saiaunghlyanhtet)
  • ⛩️ Gateway API Enhancements: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. (cilium/cilium#41936, @​youngnick)

• 🛣️ Border Gateway Protocol (BGP)

  • 🔌 Advertise Addresses from Interfaces: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. (cilium/cilium#42469, @​rastislavs)
  • ✉️ Override Source IP addresses: You can override the auto-generated BGP session source IP with the IP address applied on the configured sourceInterface to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle (cilium/cilium#42583, @​rastislavs)
  • 🔁 Withdraw Empty Routes: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with externalTrafficPolicy=Cluster (cilium/cilium#40717, @​oblazek)
  • ⚠️ Move to cilium.io/v2 API: The support for the older CiliumBGPPeeringPolicy v1 API is now removed and should be replaced with v2 APIs. (cilium/cilium#42278, @​rastislavs)

• 🛰️ Observability

  • 🔬 Trace IP Options: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. (cilium/cilium#41306, @​Bigdelle)
  • 🚩 Filter Encrypted Flows: Filter flows when using the hubble command line to understand the encryption status of the traffic, either --encrypted or --unencrypted. (cilium/cilium#43096, @​SRodi)
  • 🔖 Tag Drops with Policy Names: Hubble v1.Events drop messages now include which Network Policy caused the drop. (cilium/cilium#41693, @​41ks)

• 🌅 Performance and Scale

  • ⚡ Faster Network Policy Computation: Improve Cilium resource usage for handling selectors in network policies. (cilium/cilium#42008, @​jrajahalme; cilium/cilium#42580, @​odinuge)
  • 🔌 More Efficient Connection Tracking: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. (cilium/cilium#38782, @​BenoitKnecht; cilium/cilium#41990, @​bersoare)
  • 💾 Better Scale in AWS: Reduce memory usage for cilium-operator in large AWS environments with many resources. (cilium/cilium#42529, @​liyihuang)

• ⚙️ Operations

  • 📦 Access Helm charts via Registry: Helm charts are also available under quay.io/cilium/charts/cilium (cilium/cilium#43624, @​aanm)
  • 📊 Metrics Encryption: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. (cilium/cilium#42077, @​phuhung273)
  • 🤖 Easier Multi-Cluster install: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). (cilium/cilium#40729, @​MrFreezeex)
  • 📜 Simpler Certificate Management: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. (cilium/cilium#42298, @​MrFreezeex)
  • 🛠️ Cilium dependencies were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. (cilium/cilium#43422, @​aanm; cilium/cilium#40569, @​sayboras; cilium/cilium#41936, @​youngnick; cilium/cilium#42824, @​rastislavs).

• 🏠 Community

  • ❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • 📰 See studies with Airbnb, Cloudera, Cybozu, ESnet, Nutanix, OVHcloud, TikTok, University of Wisconsin–Madison.
  • 🇺🇸 Atlanta Events: The community gathered at CiliumCon and the Cilium Developer Summit in Atlanta.
  • 🇳🇱 Amsterdam Events: Meet us at the upcoming CiliumCon and Cilium Developer Summit in Amsterdam, March 23-27. Read more about where to find Cilium during the show.
  • 🔟 Cilium is 10: Read the 2025 Cilium Annual Report to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

🎂❤️❤️❤️🎂
This is a very special release for Cilium, as it celebrates 10 years since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
🎂❤️❤️❤️🎂

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49

docker-plugin

quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50

hubble-relay

quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0

operator-aws

quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6

operator-azure

quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a

operator-generic

quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648

operator

quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65

v1.18.8: 1.18.8

Compare Source

Known issues

• Users who deploy Cilium on GKE should skip this version or upgrade to 1.19.2 due to a known regression.

Summary of Changes

Minor Changes:

• Allow to attach Cilium's XDP program on network interfaces that have jumbo MTU configured and support xdp.frags program type. (Backport PR #​44499, Upstream PR #​41967, @​viktor-kurchenko)

Bugfixes:

• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44758, Upstream PR #​44658, @​smagnani96)
• cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44519, Upstream PR #​44443, @​aanm)
• Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44499, Upstream PR #​44209, @​dylandreimerink)
• Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44592, Upstream PR #​44540, @​tklauser)
• Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR #​44021, Upstream PR #​43999, @​EmilyShepherd)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44592, Upstream PR #​44512, @​0xch4z)
• Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44519, Upstream PR #​44462, @​liyihuang)
• Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44700, Upstream PR #​44513, @​akos011221)
• gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44519, Upstream PR #​44492, @​youngnick)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44804, Upstream PR #​44693, @​smagnani96)
• loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44399, Upstream PR #​44286, @​mhofstetter)

CI Changes:

• gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #​44519, Upstream PR #​44381, @​julianwiedmann)

Misc Changes:

• chore(deps): update all github action dependencies (v1.18) (#​44372, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44480, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44579, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44681, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44791, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​44369, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44580, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44678, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.8 (v1.18) (#​44810, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.18) (#​44344, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.18) (#​44401, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.18) (#​44577, @​cilium-renovate[bot])
• chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.18) (#​44679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.18) (#​44476, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.18) (#​44797, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.18) (#​44575, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.18) (#​44370, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.18) (#​44680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.18) (#​44371, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.18) (#​44478, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.18) (#​44676, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.18) (#​44789, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.18) (#​44807, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44252, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44479, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44677, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44790, @​cilium-renovate[bot])
• Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #​44399, Upstream PR #​44302, @​darox)
• fix(deps): update k8s.io patch updates stable (v1.18) (#​44477, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.33.9 (v1.18) (patch) (#​44578, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 0f775a3 (v1.18) (#​44576, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 15301c2 (v1.18) (#​44675, @​cilium-renovate[bot])
• loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR #​44519, Upstream PR #​44323, @​mhofstetter)

Other Changes:

• [1.18] gha: Use eks 1.32 from us-west-2 (#​44753, @​sayboras)
• [v1.18] endpoint/bpf: remove change empty condition for updateEnvoy (#​44616, @​liyihuang)
• [v1.18] gh: verifier: disable RHEL8 (#​44317, @​julianwiedmann)
• [v1.18] loadbalancer: Fix flake in hybrid-dsr.txtar (#​44756, @​julianwiedmann)
• install: Update image digests for v1.18.7 (#​44326, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.8@​sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.8@​sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5

docker-plugin

quay.io/cilium/docker-plugin:v1.18.8@​sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7

hubble-relay

quay.io/cilium/hubble-relay:v1.18.8@​sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.8@​sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252

operator-aws

quay.io/cilium/operator-aws:v1.18.8@​sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3

operator-azure

quay.io/cilium/operator-azure:v1.18.8@​sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332

operator-generic

quay.io/cilium/operator-generic:v1.18.8@​sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62f

operator

quay.io/cilium/operator:v1.18.8@​sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58

v1.18.7: 1.18.7

Compare Source

Summary of Changes

Minor Changes:

• Exclude topology.kubernetes.io labels from security labels by default (Backport PR #​43777, Upstream PR #​43725, @​moscicky)
• hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #​44004, Upstream PR #​43644, @​puwun)

Bugfixes:

• Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43912, @​fgiloux)
• bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #​43923, Upstream PR #​43868, @​br4243)
• bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #​43886, Upstream PR #​43069, @​borkmann)
• clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #​44056, Upstream PR #​43807, @​MrFreezeex)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43756, Upstream PR #​43095, @​aditighag)
• Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #​43861, Upstream PR #​43196, @​yushoyamaguchi)
• Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43949, @​giorio94)
• helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44281, Upstream PR #​44159, @​puwun)
• loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #​43777, Upstream PR #​43620, @​imroc)
• Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44281, Upstream PR #​43517, @​pasteley)

CI Changes:

• fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR #​44056, Upstream PR #​42009, @​AritraDey-Dev)
• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44115, @​julianwiedmann)
• gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #​44004, Upstream PR #​43921, @​giorio94)
• gke: lower scope of ESP firewall rule (Backport PR #​43865, Upstream PR #​43691, @​marseel)

Misc Changes:

• .github/workflows: use proper directory structure for GH actions (#​43760, @​aanm)
• chore(deps): update all github action dependencies (v1.18) (#​43845, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43984, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44253, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​43839, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43840, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43983, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44098, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) (#​43844, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) (#​44096, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.18) (#​44249, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.18) (#​43979, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.18) (#​43980, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.18) (#​44250, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) (#​43841, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) (#​43842, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) (#​43981, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) (#​44251, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) (#​44260, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43843, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43982, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44097, @​cilium-renovate[bot])
• docs: add helm underlayProtocol value to documentation (Backport PR #​44056, Upstream PR #​43934, @​aanm)
• docs: adjust URL to latest stable Hubble CLI version (Backport PR #​43777, Upstream PR #​43745, @​tklauser)
• docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #​44056, Upstream PR #​44042, @​EmilyShepherd)
• docs: Update docsearch to v4.5.4 (Backport PR #​44273, Upstream PR #​44233, @​joestringer)
• Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR #​44056, Upstream PR #​43481, @​suunj)
• gitattributes: make install/kubernetes driver match more specific. (Backport PR #​44056, Upstream PR #​43943, @​tommyp1ckles)
• multicast: fix nil assignment to node configuration cell.Out map (Backport PR #​43865, Upstream PR #​40859, @​ldelossa)
• workflows: Add id-token permission to call-publish-helm job (Backport PR #​43777, Upstream PR #​43717, @​aanm)

Other Changes:

• .github/workflows: remove stable from v1.18 branch (#​44153, @​aanm)
• [v1.18] Backport setup gke cluster (#​43793, @​Artyop)
• install: Update image digests for v1.18.6 (#​43714, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa

docker-plugin

quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9

hubble-relay

quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0

operator-aws

quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45

operator-azure

quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f

operator-generic

quay.io/cilium/operator-generic:v1.18.7@​sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7

operator

quay.io/cilium/operator:v1.18.7@​sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f

---

Configuration

📅 Schedule: Branch creation - "before 6am on Tuesday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | HelmChart | minor | `1.18.6` → `1.19.2` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.19.2`](https://github.com/cilium/cilium/releases/tag/v1.19.2): 1.19.2 [Compare Source](https://github.com/cilium/cilium/compare/1.19.1...1.19.2) ## Summary of Changes **Minor Changes:** - ztunnel/helm: move ztunnel daemonset management from operator to helm (Backport PR [#&#8203;44593](https://github.com/cilium/cilium/issues/44593), Upstream PR [#&#8203;43763](https://github.com/cilium/cilium/issues/43763), [@&#8203;nddq](https://github.com/nddq)) **Bugfixes:** - Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;43928](https://github.com/cilium/cilium/issues/43928), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR [#&#8203;44760](https://github.com/cilium/cilium/issues/44760), Upstream PR [#&#8203;44658](https://github.com/cilium/cilium/issues/44658), [@&#8203;smagnani96](https://github.com/smagnani96)) - cilium-dbg: fix seg-fault `ip get -l reserved:host` (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44443](https://github.com/cilium/cilium/issues/44443), [@&#8203;aanm](https://github.com/aanm)) - clustermesh: fix a few minor typo/issues in the MCS-API documentation (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44299](https://github.com/cilium/cilium/issues/44299), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - clustermesh: fix a goroutine leak related to EndpointSliceSync when removing cluster (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44444](https://github.com/cilium/cilium/issues/44444), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - clustermesh: fix a race condition where EndpointSlices created just before a cluster is removed could be left uncleaned (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44503](https://github.com/cilium/cilium/issues/44503), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR [#&#8203;44496](https://github.com/cilium/cilium/issues/44496), Upstream PR [#&#8203;44209](https://github.com/cilium/cilium/issues/44209), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR [#&#8203;44593](https://github.com/cilium/cilium/issues/44593), Upstream PR [#&#8203;44540](https://github.com/cilium/cilium/issues/44540), [@&#8203;tklauser](https://github.com/tklauser)) - Fix bug where more Helm options were gated by `loadbalancer` option than intended (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;42916](https://github.com/cilium/cilium/issues/42916), [@&#8203;mliner](https://github.com/mliner)) - Fix envoy admin socket being created as world-accessible (Backport PR [#&#8203;44593](https://github.com/cilium/cilium/issues/44593), Upstream PR [#&#8203;44512](https://github.com/cilium/cilium/issues/44512), [@&#8203;0xch4z](https://github.com/0xch4z)) - Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;44335](https://github.com/cilium/cilium/issues/44335), [@&#8203;daanvinken](https://github.com/daanvinken)) - Fix tearing down wrong pod's veth in aws-cni chaining when using deterministic pod names (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44494](https://github.com/cilium/cilium/issues/44494), [@&#8203;aanm](https://github.com/aanm)) - Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;43902](https://github.com/cilium/cilium/issues/43902), [@&#8203;Aman-Cool](https://github.com/Aman-Cool)) - Fixed a bug where bandwidth priority updates were not applied when only the priority annotation was changed on a Pod. (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44329](https://github.com/cilium/cilium/issues/44329), [@&#8203;zbb88888](https://github.com/zbb88888)) - Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44462](https://github.com/cilium/cilium/issues/44462), [@&#8203;liyihuang](https://github.com/liyihuang)) - Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;44513](https://github.com/cilium/cilium/issues/44513), [@&#8203;akos011221](https://github.com/akos011221)) - gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44492](https://github.com/cilium/cilium/issues/44492), [@&#8203;youngnick](https://github.com/youngnick)) - gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon. (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44397](https://github.com/cilium/cilium/issues/44397), [@&#8203;youngnick](https://github.com/youngnick)) - Grant permissions to the cilium-operator so that it can reconcile ServiceImport when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44458](https://github.com/cilium/cilium/issues/44458), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (Backport PR [#&#8203;44593](https://github.com/cilium/cilium/issues/44593), Upstream PR [#&#8203;44196](https://github.com/cilium/cilium/issues/44196), [@&#8203;nddq](https://github.com/nddq)) - ingress: Ensure that the shared ingress exposes port 443 so that it can pass upstream loadbalancer health checks. (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44229](https://github.com/cilium/cilium/issues/44229), [@&#8203;xtineskim](https://github.com/xtineskim)) - ipam: Fix concurrent map access to multipool map (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44150](https://github.com/cilium/cilium/issues/44150), [@&#8203;christarazi](https://github.com/christarazi)) - l7lb: fix bypassing ingress policies for local backends (Backport PR [#&#8203;44800](https://github.com/cilium/cilium/issues/44800), Upstream PR [#&#8203;44693](https://github.com/cilium/cilium/issues/44693), [@&#8203;smagnani96](https://github.com/smagnani96)) - loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44286](https://github.com/cilium/cilium/issues/44286), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks (Backport PR [#&#8203;44418](https://github.com/cilium/cilium/issues/44418), Upstream PR [#&#8203;43917](https://github.com/cilium/cilium/issues/43917), [@&#8203;TheBeeZee](https://github.com/TheBeeZee)) **CI Changes:** - .github/workflows: eks-cluster-pool-manager: fix race condition and c… (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44283](https://github.com/cilium/cilium/issues/44283), [@&#8203;aanm](https://github.com/aanm)) - ci: add k8s 1.35 for AKS (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;44550](https://github.com/cilium/cilium/issues/44550), [@&#8203;Artyop](https://github.com/Artyop)) - ci: add k8s 1.35 for gke tests (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;44549](https://github.com/cilium/cilium/issues/44549), [@&#8203;Artyop](https://github.com/Artyop)) - ci: k8s 1.35 to EKS matrix (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44403](https://github.com/cilium/cilium/issues/44403), [@&#8203;Artyop](https://github.com/Artyop)) - ci: reduce number of k8s versions tested on EKS (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44426](https://github.com/cilium/cilium/issues/44426), [@&#8203;Artyop](https://github.com/Artyop)) - docs: Bump k8s compat version (Backport PR [#&#8203;44593](https://github.com/cilium/cilium/issues/44593), Upstream PR [#&#8203;44516](https://github.com/cilium/cilium/issues/44516), [@&#8203;joestringer](https://github.com/joestringer)) - gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44381](https://github.com/cilium/cilium/issues/44381), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - test/helpers: ignore error creating lease lock message (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44282](https://github.com/cilium/cilium/issues/44282), [@&#8203;aanm](https://github.com/aanm)) **Misc Changes:** - \[v1.19] fix: add Documentation/cmdref/cilium-dbg\_policy\_subject-selectors.md ([#&#8203;44644](https://github.com/cilium/cilium/issues/44644), [@&#8203;jingyuanliang](https://github.com/jingyuanliang)) - Added circuit breaker configuration (max connections, requests, and retries) for Cilium Envoy ingress, egress, and external envoy. (Backport PR [#&#8203;44699](https://github.com/cilium/cilium/issues/44699), Upstream PR [#&#8203;44195](https://github.com/cilium/cilium/issues/44195), [@&#8203;liyihuang](https://github.com/liyihuang)) - bgp: Clean up unused RouteReflector and improve GoBGP test commands (Backport PR [#&#8203;44632](https://github.com/cilium/cilium/issues/44632), Upstream PR [#&#8203;44074](https://github.com/cilium/cilium/issues/44074), [@&#8203;liyihuang](https://github.com/liyihuang)) - bgp: Introduce bgp/peers Hive Shell command (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44067](https://github.com/cilium/cilium/issues/44067), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - bgp: Introduce bgp/routes Hive Shell command (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44220](https://github.com/cilium/cilium/issues/44220), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - bgp: Make the BGP instance name retrievable from GoBGP (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44024](https://github.com/cilium/cilium/issues/44024), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44475](https://github.com/cilium/cilium/issues/44475), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44572](https://github.com/cilium/cilium/issues/44572), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44673](https://github.com/cilium/cilium/issues/44673), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44788](https://github.com/cilium/cilium/issues/44788), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.19) ([#&#8203;44573](https://github.com/cilium/cilium/issues/44573), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.19) ([#&#8203;44574](https://github.com/cilium/cilium/issues/44574), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.19) ([#&#8203;44668](https://github.com/cilium/cilium/issues/44668), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.19) ([#&#8203;44568](https://github.com/cilium/cilium/issues/44568), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.19) ([#&#8203;44671](https://github.com/cilium/cilium/issues/44671), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.19) ([#&#8203;44472](https://github.com/cilium/cilium/issues/44472), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1772889061-409b87726267dd621aab2cc455bad504fa5006d0 (v1.19) ([#&#8203;44669](https://github.com/cilium/cilium/issues/44669), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.19) ([#&#8203;44723](https://github.com/cilium/cilium/issues/44723), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.19) ([#&#8203;44787](https://github.com/cilium/cilium/issues/44787), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.19) (patch) ([#&#8203;44473](https://github.com/cilium/cilium/issues/44473), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - contrib: Auto-find source files in check-source-info.sh (Backport PR [#&#8203;44628](https://github.com/cilium/cilium/issues/44628), Upstream PR [#&#8203;44506](https://github.com/cilium/cilium/issues/44506), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - contrib: Minor cleanups for check-source-info.sh (Backport PR [#&#8203;44628](https://github.com/cilium/cilium/issues/44628), Upstream PR [#&#8203;44431](https://github.com/cilium/cilium/issues/44431), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - docs(ztunnel): fix some typo (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44294](https://github.com/cilium/cilium/issues/44294), [@&#8203;alagoutte](https://github.com/alagoutte)) - docs: add policy language chapter headline (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44204](https://github.com/cilium/cilium/issues/44204), [@&#8203;orangecms](https://github.com/orangecms)) - docs: Fix duplicate `--version` in Helm OCI install/upgrade documentation examples. (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44380](https://github.com/cilium/cilium/issues/44380), [@&#8203;gma1k](https://github.com/gma1k)) - docs: Fix some "parsed-literal" blocks (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44385](https://github.com/cilium/cilium/issues/44385), [@&#8203;qmonnet](https://github.com/qmonnet)) - Docs: improve docs around ipsec upgrade in 1.18 (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44302](https://github.com/cilium/cilium/issues/44302), [@&#8203;darox](https://github.com/darox)) - docs: Point to cilium.io for community blogs (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44420](https://github.com/cilium/cilium/issues/44420), [@&#8203;qmonnet](https://github.com/qmonnet)) - fix(deps): update all-dependencies (v1.19) ([#&#8203;44471](https://github.com/cilium/cilium/issues/44471), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update k8s.io patch updates stable (v1.19) ([#&#8203;44474](https://github.com/cilium/cilium/issues/44474), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update k8s.io patch updates stable to [`0f775a3`](https://github.com/cilium/cilium/commit/0f775a3) (v1.19) ([#&#8203;44570](https://github.com/cilium/cilium/issues/44570), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update k8s.io patch updates stable to v0.35.2 (v1.19) (patch) ([#&#8203;44571](https://github.com/cilium/cilium/issues/44571), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 (v1.19) ([#&#8203;44670](https://github.com/cilium/cilium/issues/44670), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update sigs.k8s.io/mcs-api/controllers digest to [`15301c2`](https://github.com/cilium/cilium/commit/15301c2) (v1.19) ([#&#8203;44785](https://github.com/cilium/cilium/issues/44785), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update sigs.k8s.io/mcs-api/controllers digest to [`6a4a49e`](https://github.com/cilium/cilium/commit/6a4a49e) (v1.19) ([#&#8203;44672](https://github.com/cilium/cilium/issues/44672), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix: helm value rendering bug for operator.unmanagedPodWatcher.intervalSeconds (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44211](https://github.com/cilium/cilium/issues/44211), [@&#8203;jayl1e](https://github.com/jayl1e)) - k8s/client/fake: let update operations respect resource versioning (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44264](https://github.com/cilium/cilium/issues/44264), [@&#8203;giorio94](https://github.com/giorio94)) - loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR [#&#8203;44517](https://github.com/cilium/cilium/issues/44517), Upstream PR [#&#8203;44323](https://github.com/cilium/cilium/issues/44323), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - test: fix goleak check in combination with script tests (Backport PR [#&#8203;44398](https://github.com/cilium/cilium/issues/44398), Upstream PR [#&#8203;44228](https://github.com/cilium/cilium/issues/44228), [@&#8203;giorio94](https://github.com/giorio94)) **Other Changes:** - \[v1.19] ipam: Use existing mutex for multipool capacity synchronization ([#&#8203;44777](https://github.com/cilium/cilium/issues/44777), [@&#8203;christarazi](https://github.com/christarazi)) - install: Update image digests for v1.19.1 ([#&#8203;44410](https://github.com/cilium/cilium/issues/44410), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.2@&#8203;sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.2@&#8203;sha256:d1f44a78a0d0996ab1841f7564bc6fbd6e242d4ef673a2a8bfdd7385ef68018d` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.2@&#8203;sha256:1ba743852ab063d83955c3917d75b2d296ff78d944d09fc1802f85f07ebee334` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.2@&#8203;sha256:9987c73bad48c987fd065185535fd15a6717cbe8a8caf7fc7ef0413532cf490e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.2@&#8203;sha256:90bdedf6b0d3108245f8194f8c69262af2c8d839480f99d2396deed057899142` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.2@&#8203;sha256:6eaa299ad267d7b8fcb4bb17ee1008b391052e2e35f690b21783b1b23b5c0bf2` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.2@&#8203;sha256:9c040a57f4584782eda9a91f7cf3292ca5d0fb41d75f4aa41ece29d66e145293` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.2@&#8203;sha256:e363f4f634c2a66a36e01618734ea17e7b541b949b9a5632f9c180ab16de23f0` ##### operator `quay.io/cilium/operator:v1.19.2@&#8203;sha256:56ea76f4c1dfc8a899581b35bb2fc87b3110ee57ff0ab4003ae26d5a27d81448` ### [`v1.19.1`](https://github.com/cilium/cilium/releases/tag/v1.19.1): 1.19.1 [Compare Source](https://github.com/cilium/cilium/compare/1.19.0...1.19.1) ## Summary of Changes **Bugfixes:** - clustermesh: fix CRD update permission for MCS-API CRD install (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;44224](https://github.com/cilium/cilium/issues/44224), [@&#8203;Preisschild](https://github.com/Preisschild)) - Fix panic during datapath reinitialization if DirectRouting device is required but missing (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;44219](https://github.com/cilium/cilium/issues/44219), [@&#8203;fristonio](https://github.com/fristonio)) - helm: Fixed RBAC errors with `operator.enabled=false` by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;44159](https://github.com/cilium/cilium/issues/44159), [@&#8203;puwun](https://github.com/puwun)) - Reduces rtnl\_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM\_GETLINK operations (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;43517](https://github.com/cilium/cilium/issues/43517), [@&#8203;pasteley](https://github.com/pasteley)) **CI Changes:** - ci: e2e: add `kernel` to workflow job names (Backport PR [#&#8203;44127](https://github.com/cilium/cilium/issues/44127), Upstream PR [#&#8203;44291](https://github.com/cilium/cilium/issues/44291), [@&#8203;smagnani96](https://github.com/smagnani96)) - gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR [#&#8203;44147](https://github.com/cilium/cilium/issues/44147), Upstream PR [#&#8203;44109](https://github.com/cilium/cilium/issues/44109), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: ariane: skip more workflows for LVH kernel updates (Backport PR [#&#8203;44147](https://github.com/cilium/cilium/issues/44147), Upstream PR [#&#8203;44115](https://github.com/cilium/cilium/issues/44115), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **Misc Changes:** - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44248](https://github.com/cilium/cilium/issues/44248), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.19) ([#&#8203;44368](https://github.com/cilium/cilium/issues/44368), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.19) ([#&#8203;44363](https://github.com/cilium/cilium/issues/44363), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.19) ([#&#8203;44247](https://github.com/cilium/cilium/issues/44247), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.19) ([#&#8203;44343](https://github.com/cilium/cilium/issues/44343), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.19) ([#&#8203;44400](https://github.com/cilium/cilium/issues/44400), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`b3255e7`](https://github.com/cilium/cilium/commit/b3255e7) (v1.19) ([#&#8203;44242](https://github.com/cilium/cilium/issues/44242), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.25.7 docker digest to [`85c0ab0`](https://github.com/cilium/cilium/commit/85c0ab0) (v1.19) ([#&#8203;44364](https://github.com/cilium/cilium/issues/44364), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to [`f9f84bd`](https://github.com/cilium/cilium/commit/f9f84bd) (v1.19) ([#&#8203;44243](https://github.com/cilium/cilium/issues/44243), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.19) ([#&#8203;44365](https://github.com/cilium/cilium/issues/44365), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260206102632-39e3d06a2850 (v1.19) ([#&#8203;44244](https://github.com/cilium/cilium/issues/44244), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.19) ([#&#8203;44245](https://github.com/cilium/cilium/issues/44245), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.19) ([#&#8203;44262](https://github.com/cilium/cilium/issues/44262), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.19) ([#&#8203;44366](https://github.com/cilium/cilium/issues/44366), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.19) (patch) ([#&#8203;44246](https://github.com/cilium/cilium/issues/44246), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.19) (patch) ([#&#8203;44367](https://github.com/cilium/cilium/issues/44367), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - ci: e2e: improve GitHub action readability (Backport PR [#&#8203;44127](https://github.com/cilium/cilium/issues/44127), Upstream PR [#&#8203;44126](https://github.com/cilium/cilium/issues/44126), [@&#8203;smagnani96](https://github.com/smagnani96)) - docs: Update docsearch to v4.5.4 (Backport PR [#&#8203;44272](https://github.com/cilium/cilium/issues/44272), Upstream PR [#&#8203;44233](https://github.com/cilium/cilium/issues/44233), [@&#8203;joestringer](https://github.com/joestringer)) - endpoint/watchdog: fetch all endpoints without programs loaded (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;44111](https://github.com/cilium/cilium/issues/44111), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - gateway-apis: Correct supported versions in docs ([#&#8203;44217](https://github.com/cilium/cilium/issues/44217), [@&#8203;youngnick](https://github.com/youngnick)) - Policy Tiers: feature-flagging, add fuzzer, fix corner cases (Backport PR [#&#8203;44267](https://github.com/cilium/cilium/issues/44267), Upstream PR [#&#8203;43893](https://github.com/cilium/cilium/issues/43893), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Policy: Fix rule origin for ordered policies (Backport PR [#&#8203;44280](https://github.com/cilium/cilium/issues/44280), Upstream PR [#&#8203;44178](https://github.com/cilium/cilium/issues/44178), [@&#8203;jrajahalme](https://github.com/jrajahalme)) **Other Changes:** - install: Update image digests for v1.19.0 ([#&#8203;44172](https://github.com/cilium/cilium/issues/44172), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.1@&#8203;sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.1@&#8203;sha256:56d6c3dc13b50126b80ecb571707a0ea97f6db694182b9d61efd386d04e5bb28` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.1@&#8203;sha256:6edfbf46ca484b1ed961f3c7382159ba7f0227e7af692159e99e8d4810ecaf34` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.1@&#8203;sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.1@&#8203;sha256:837b12f4239e88ea5b4b5708ab982c319a94ee05edaecaafe5fd0e5b1962f554` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.1@&#8203;sha256:18913d05a6c4d205f0b7126c4723bb9ccbd4dc24403da46ed0f9f4bf2a142804` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.1@&#8203;sha256:82bce78603056e709d4c4e9f9ebb25c222c36d8a07f8c05381c2372d9078eca8` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.1@&#8203;sha256:e7278d763e448bf6c184b0682cf98cdca078d58a27e1b2f3c906792670aa211a` ##### operator `quay.io/cilium/operator:v1.19.1@&#8203;sha256:93a6306d4543f1d8eccd79d6770c00ef4d4791f66326d97f9851f9d316e70141` ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](https://github.com/cilium/cilium/compare/1.18.8...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩 ⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](https://github.com/cilium/cilium/pull/43420), [@&#8203;fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](https://github.com/cilium/cilium/pull/39872), [@&#8203;aditighag](https://github.com/aditighag); [cilium/cilium#41949](https://github.com/cilium/cilium/pull/41949), [@&#8203;kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](https://github.com/cilium/cilium/pull/41406), [@&#8203;antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](https://github.com/cilium/cilium/pull/40609), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](https://github.com/cilium/cilium/pull/39906), [@&#8203;vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](https://github.com/cilium/cilium/pull/42784), [cilium/cilium#42896](https://github.com/cilium/cilium/pull/42896), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](https://github.com/cilium/cilium/pull/43167), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#40967](https://github.com/cilium/cilium/pull/40967), [@&#8203;TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](https://github.com/cilium/cilium/pull/39239), [cilium/cilium#42115](https://github.com/cilium/cilium/pull/42115), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](https://github.com/cilium/cilium/pull/42766), [cilium/cilium#42819](https://github.com/cilium/cilium/pull/42819), [cilium/cilium#43227](https://github.com/cilium/cilium/pull/43227) and others, [@&#8203;ldelossa](https://github.com/ldelossa), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](https://github.com/cilium/cilium/pull/42665), [@&#8203;christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](https://github.com/cilium/cilium/pull/41997), [@&#8203;pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](https://github.com/cilium/cilium/pull/43416), [@&#8203;gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](https://github.com/cilium/cilium/pull/42012), [cilium/cilium#43710](https://github.com/cilium/cilium/pull/43710), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](https://github.com/cilium/cilium/pull/40324), [@&#8203;pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](https://github.com/cilium/cilium/pull/40460), [cilium/cilium#42191](https://github.com/cilium/cilium/pull/42191), [@&#8203;pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](https://github.com/cilium/cilium/pull/37568), [@&#8203;behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](https://github.com/cilium/cilium/pull/43380), [@&#8203;alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](https://github.com/cilium/cilium/pull/39648), [@&#8203;msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](https://github.com/cilium/cilium/pull/39594), [@&#8203;saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](https://github.com/cilium/cilium/pull/41936), [@&#8203;youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](https://github.com/cilium/cilium/pull/42469), [@&#8203;rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](https://github.com/cilium/cilium/pull/42583), [@&#8203;rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](https://github.com/cilium/cilium/pull/40717), [@&#8203;oblazek](https://github.com/oblazek)) - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](https://github.com/cilium/cilium/pull/42278), [@&#8203;rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](https://github.com/cilium/cilium/pull/41306), [@&#8203;Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](https://github.com/cilium/cilium/pull/43096), [@&#8203;SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](https://github.com/cilium/cilium/pull/41693), [@&#8203;41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](https://github.com/cilium/cilium/pull/42008), [@&#8203;jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](https://github.com/cilium/cilium/pull/42580), [@&#8203;odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](https://github.com/cilium/cilium/pull/38782), [@&#8203;BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](https://github.com/cilium/cilium/pull/41990), [@&#8203;bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](https://github.com/cilium/cilium/pull/42529), [@&#8203;liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](https://github.com/cilium/cilium/pull/43624), [@&#8203;aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](https://github.com/cilium/cilium/pull/42077), [@&#8203;phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](https://github.com/cilium/cilium/pull/40729), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](https://github.com/cilium/cilium/pull/42298), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](https://github.com/cilium/cilium/pull/43422), [@&#8203;aanm](https://github.com/aanm); [cilium/cilium#40569](https://github.com/cilium/cilium/pull/40569), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#41936](https://github.com/cilium/cilium/pull/41936), [@&#8203;youngnick](https://github.com/youngnick); [cilium/cilium#42824](https://github.com/cilium/cilium/pull/42824), [@&#8203;rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` ### [`v1.18.8`](https://github.com/cilium/cilium/releases/tag/v1.18.8): 1.18.8 [Compare Source](https://github.com/cilium/cilium/compare/1.18.7...1.18.8) ## Known issues - Users who deploy Cilium on GKE should skip this version or upgrade to 1.19.2 due to a [known regression](https://github.com/cilium/cilium/pull/44499#issuecomment-4080979129). ## Summary of Changes **Minor Changes:** - Allow to attach Cilium's XDP program on network interfaces that have jumbo MTU configured and support xdp.frags program type. (Backport PR [#&#8203;44499](https://github.com/cilium/cilium/issues/44499), Upstream PR [#&#8203;41967](https://github.com/cilium/cilium/issues/41967), [@&#8203;viktor-kurchenko](https://github.com/viktor-kurchenko)) **Bugfixes:** - bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR [#&#8203;44758](https://github.com/cilium/cilium/issues/44758), Upstream PR [#&#8203;44658](https://github.com/cilium/cilium/issues/44658), [@&#8203;smagnani96](https://github.com/smagnani96)) - cilium-dbg: fix seg-fault `ip get -l reserved:host` (Backport PR [#&#8203;44519](https://github.com/cilium/cilium/issues/44519), Upstream PR [#&#8203;44443](https://github.com/cilium/cilium/issues/44443), [@&#8203;aanm](https://github.com/aanm)) - Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR [#&#8203;44499](https://github.com/cilium/cilium/issues/44499), Upstream PR [#&#8203;44209](https://github.com/cilium/cilium/issues/44209), [@&#8203;dylandreimerink](https://github.com/dylandreimerink)) - Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR [#&#8203;44592](https://github.com/cilium/cilium/issues/44592), Upstream PR [#&#8203;44540](https://github.com/cilium/cilium/issues/44540), [@&#8203;tklauser](https://github.com/tklauser)) - Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR [#&#8203;44021](https://github.com/cilium/cilium/issues/44021), Upstream PR [#&#8203;43999](https://github.com/cilium/cilium/issues/43999), [@&#8203;EmilyShepherd](https://github.com/EmilyShepherd)) - Fix envoy admin socket being created as world-accessible (Backport PR [#&#8203;44592](https://github.com/cilium/cilium/issues/44592), Upstream PR [#&#8203;44512](https://github.com/cilium/cilium/issues/44512), [@&#8203;0xch4z](https://github.com/0xch4z)) - Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR [#&#8203;44519](https://github.com/cilium/cilium/issues/44519), Upstream PR [#&#8203;44462](https://github.com/cilium/cilium/issues/44462), [@&#8203;liyihuang](https://github.com/liyihuang)) - Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR [#&#8203;44700](https://github.com/cilium/cilium/issues/44700), Upstream PR [#&#8203;44513](https://github.com/cilium/cilium/issues/44513), [@&#8203;akos011221](https://github.com/akos011221)) - gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR [#&#8203;44519](https://github.com/cilium/cilium/issues/44519), Upstream PR [#&#8203;44492](https://github.com/cilium/cilium/issues/44492), [@&#8203;youngnick](https://github.com/youngnick)) - l7lb: fix bypassing ingress policies for local backends (Backport PR [#&#8203;44804](https://github.com/cilium/cilium/issues/44804), Upstream PR [#&#8203;44693](https://github.com/cilium/cilium/issues/44693), [@&#8203;smagnani96](https://github.com/smagnani96)) - loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR [#&#8203;44399](https://github.com/cilium/cilium/issues/44399), Upstream PR [#&#8203;44286](https://github.com/cilium/cilium/issues/44286), [@&#8203;mhofstetter](https://github.com/mhofstetter)) **CI Changes:** - gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR [#&#8203;44519](https://github.com/cilium/cilium/issues/44519), Upstream PR [#&#8203;44381](https://github.com/cilium/cilium/issues/44381), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) **Misc Changes:** - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44372](https://github.com/cilium/cilium/issues/44372), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44480](https://github.com/cilium/cilium/issues/44480), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44579](https://github.com/cilium/cilium/issues/44579), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44681](https://github.com/cilium/cilium/issues/44681), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44791](https://github.com/cilium/cilium/issues/44791), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#&#8203;44369](https://github.com/cilium/cilium/issues/44369), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#&#8203;44580](https://github.com/cilium/cilium/issues/44580), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#&#8203;44678](https://github.com/cilium/cilium/issues/44678), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images to v1.25.8 (v1.18) ([#&#8203;44810](https://github.com/cilium/cilium/issues/44810), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.18) ([#&#8203;44344](https://github.com/cilium/cilium/issues/44344), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.18) ([#&#8203;44401](https://github.com/cilium/cilium/issues/44401), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.18) ([#&#8203;44577](https://github.com/cilium/cilium/issues/44577), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.18) ([#&#8203;44679](https://github.com/cilium/cilium/issues/44679), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:24.04 docker digest to [`d1e2e92`](https://github.com/cilium/cilium/commit/d1e2e92) (v1.18) ([#&#8203;44476](https://github.com/cilium/cilium/issues/44476), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to [`e3f9456`](https://github.com/cilium/cilium/commit/e3f9456) (v1.18) ([#&#8203;44797](https://github.com/cilium/cilium/issues/44797), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to [`f512d81`](https://github.com/cilium/cilium/commit/f512d81) (v1.18) ([#&#8203;44575](https://github.com/cilium/cilium/issues/44575), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.18) ([#&#8203;44370](https://github.com/cilium/cilium/issues/44370), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.18) ([#&#8203;44680](https://github.com/cilium/cilium/issues/44680), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.18) ([#&#8203;44371](https://github.com/cilium/cilium/issues/44371), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.18) ([#&#8203;44478](https://github.com/cilium/cilium/issues/44478), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.18) ([#&#8203;44676](https://github.com/cilium/cilium/issues/44676), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.18) ([#&#8203;44789](https://github.com/cilium/cilium/issues/44789), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.18) ([#&#8203;44807](https://github.com/cilium/cilium/issues/44807), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;44252](https://github.com/cilium/cilium/issues/44252), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;44479](https://github.com/cilium/cilium/issues/44479), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;44677](https://github.com/cilium/cilium/issues/44677), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;44790](https://github.com/cilium/cilium/issues/44790), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Docs: improve docs around ipsec upgrade in 1.18 (Backport PR [#&#8203;44399](https://github.com/cilium/cilium/issues/44399), Upstream PR [#&#8203;44302](https://github.com/cilium/cilium/issues/44302), [@&#8203;darox](https://github.com/darox)) - fix(deps): update k8s.io patch updates stable (v1.18) ([#&#8203;44477](https://github.com/cilium/cilium/issues/44477), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update k8s.io patch updates stable to v0.33.9 (v1.18) (patch) ([#&#8203;44578](https://github.com/cilium/cilium/issues/44578), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update sigs.k8s.io/mcs-api/controllers digest to [`0f775a3`](https://github.com/cilium/cilium/commit/0f775a3) (v1.18) ([#&#8203;44576](https://github.com/cilium/cilium/issues/44576), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - fix(deps): update sigs.k8s.io/mcs-api/controllers digest to [`15301c2`](https://github.com/cilium/cilium/commit/15301c2) (v1.18) ([#&#8203;44675](https://github.com/cilium/cilium/issues/44675), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR [#&#8203;44519](https://github.com/cilium/cilium/issues/44519), Upstream PR [#&#8203;44323](https://github.com/cilium/cilium/issues/44323), [@&#8203;mhofstetter](https://github.com/mhofstetter)) **Other Changes:** - \[1.18] gha: Use eks 1.32 from us-west-2 ([#&#8203;44753](https://github.com/cilium/cilium/issues/44753), [@&#8203;sayboras](https://github.com/sayboras)) - \[v1.18] endpoint/bpf: remove change empty condition for updateEnvoy ([#&#8203;44616](https://github.com/cilium/cilium/issues/44616), [@&#8203;liyihuang](https://github.com/liyihuang)) - \[v1.18] gh: verifier: disable RHEL8 ([#&#8203;44317](https://github.com/cilium/cilium/issues/44317), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - \[v1.18] loadbalancer: Fix flake in hybrid-dsr.txtar ([#&#8203;44756](https://github.com/cilium/cilium/issues/44756), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.18.7 ([#&#8203;44326](https://github.com/cilium/cilium/issues/44326), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.8@&#8203;sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.8@&#8203;sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.8@&#8203;sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.8@&#8203;sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.8@&#8203;sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.8@&#8203;sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.8@&#8203;sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.8@&#8203;sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62f` ##### operator `quay.io/cilium/operator:v1.18.8@&#8203;sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58` ### [`v1.18.7`](https://github.com/cilium/cilium/releases/tag/v1.18.7): 1.18.7 [Compare Source](https://github.com/cilium/cilium/compare/1.18.6...1.18.7) ## Summary of Changes **Minor Changes:** - Exclude topology.kubernetes.io labels from security labels by default (Backport PR [#&#8203;43777](https://github.com/cilium/cilium/issues/43777), Upstream PR [#&#8203;43725](https://github.com/cilium/cilium/issues/43725), [@&#8203;moscicky](https://github.com/moscicky)) - hubble-relay: Add `hubble.relay.logOptions.format` and `hubble.relay.logOptions.level` Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR [#&#8203;44004](https://github.com/cilium/cilium/issues/44004), Upstream PR [#&#8203;43644](https://github.com/cilium/cilium/issues/43644), [@&#8203;puwun](https://github.com/puwun)) **Bugfixes:** - Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR [#&#8203;44034](https://github.com/cilium/cilium/issues/44034), Upstream PR [#&#8203;43912](https://github.com/cilium/cilium/issues/43912), [@&#8203;fgiloux](https://github.com/fgiloux)) - bpf: Correct refinement of inner packet L4 checksum detection (Backport PR [#&#8203;43923](https://github.com/cilium/cilium/issues/43923), Upstream PR [#&#8203;43868](https://github.com/cilium/cilium/issues/43868), [@&#8203;br4243](https://github.com/br4243)) - bpf: Fix marker to skip nodeport when punting to proxy (Backport PR [#&#8203;43886](https://github.com/cilium/cilium/issues/43886), Upstream PR [#&#8203;43069](https://github.com/cilium/cilium/issues/43069), [@&#8203;borkmann](https://github.com/borkmann)) - clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;43807](https://github.com/cilium/cilium/issues/43807), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR [#&#8203;43756](https://github.com/cilium/cilium/issues/43756), Upstream PR [#&#8203;43095](https://github.com/cilium/cilium/issues/43095), [@&#8203;aditighag](https://github.com/aditighag)) - Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR [#&#8203;43861](https://github.com/cilium/cilium/issues/43861), Upstream PR [#&#8203;43196](https://github.com/cilium/cilium/issues/43196), [@&#8203;yushoyamaguchi](https://github.com/yushoyamaguchi)) - Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR [#&#8203;44034](https://github.com/cilium/cilium/issues/44034), Upstream PR [#&#8203;43949](https://github.com/cilium/cilium/issues/43949), [@&#8203;giorio94](https://github.com/giorio94)) - helm: Fixed RBAC errors with `operator.enabled=false` by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR [#&#8203;44281](https://github.com/cilium/cilium/issues/44281), Upstream PR [#&#8203;44159](https://github.com/cilium/cilium/issues/44159), [@&#8203;puwun](https://github.com/puwun)) - loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR [#&#8203;43777](https://github.com/cilium/cilium/issues/43777), Upstream PR [#&#8203;43620](https://github.com/cilium/cilium/issues/43620), [@&#8203;imroc](https://github.com/imroc)) - Reduces rtnl\_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM\_GETLINK operations (Backport PR [#&#8203;44281](https://github.com/cilium/cilium/issues/44281), Upstream PR [#&#8203;43517](https://github.com/cilium/cilium/issues/43517), [@&#8203;pasteley](https://github.com/pasteley)) **CI Changes:** - fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;42009](https://github.com/cilium/cilium/issues/42009), [@&#8203;AritraDey-Dev](https://github.com/AritraDey-Dev)) - gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR [#&#8203;44148](https://github.com/cilium/cilium/issues/44148), Upstream PR [#&#8203;44109](https://github.com/cilium/cilium/issues/44109), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gh: ariane: skip more workflows for LVH kernel updates (Backport PR [#&#8203;44148](https://github.com/cilium/cilium/issues/44148), Upstream PR [#&#8203;44115](https://github.com/cilium/cilium/issues/44115), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR [#&#8203;44004](https://github.com/cilium/cilium/issues/44004), Upstream PR [#&#8203;43921](https://github.com/cilium/cilium/issues/43921), [@&#8203;giorio94](https://github.com/giorio94)) - gke: lower scope of ESP firewall rule (Backport PR [#&#8203;43865](https://github.com/cilium/cilium/issues/43865), Upstream PR [#&#8203;43691](https://github.com/cilium/cilium/issues/43691), [@&#8203;marseel](https://github.com/marseel)) **Misc Changes:** - .github/workflows: use proper directory structure for GH actions ([#&#8203;43760](https://github.com/cilium/cilium/issues/43760), [@&#8203;aanm](https://github.com/aanm)) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;43845](https://github.com/cilium/cilium/issues/43845), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;43984](https://github.com/cilium/cilium/issues/43984), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44099](https://github.com/cilium/cilium/issues/44099), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#&#8203;44253](https://github.com/cilium/cilium/issues/44253), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#&#8203;43839](https://github.com/cilium/cilium/issues/43839), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#&#8203;43840](https://github.com/cilium/cilium/issues/43840), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#&#8203;43983](https://github.com/cilium/cilium/issues/43983), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#&#8203;44098](https://github.com/cilium/cilium/issues/44098), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) ([#&#8203;43844](https://github.com/cilium/cilium/issues/43844), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) ([#&#8203;44096](https://github.com/cilium/cilium/issues/44096), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`b3255e7`](https://github.com/cilium/cilium/commit/b3255e7) (v1.18) ([#&#8203;44249](https://github.com/cilium/cilium/issues/44249), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`e226d63`](https://github.com/cilium/cilium/commit/e226d63) (v1.18) ([#&#8203;43979](https://github.com/cilium/cilium/issues/43979), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:24.04 docker digest to [`cd1dba6`](https://github.com/cilium/cilium/commit/cd1dba6) (v1.18) ([#&#8203;43980](https://github.com/cilium/cilium/issues/43980), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to [`f9f84bd`](https://github.com/cilium/cilium/commit/f9f84bd) (v1.18) ([#&#8203;44250](https://github.com/cilium/cilium/issues/44250), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) ([#&#8203;43841](https://github.com/cilium/cilium/issues/43841), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) ([#&#8203;43842](https://github.com/cilium/cilium/issues/43842), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) ([#&#8203;43981](https://github.com/cilium/cilium/issues/43981), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) ([#&#8203;44251](https://github.com/cilium/cilium/issues/44251), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) ([#&#8203;44260](https://github.com/cilium/cilium/issues/44260), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;43843](https://github.com/cilium/cilium/issues/43843), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;43982](https://github.com/cilium/cilium/issues/43982), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;44097](https://github.com/cilium/cilium/issues/44097), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: add helm underlayProtocol value to documentation (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;43934](https://github.com/cilium/cilium/issues/43934), [@&#8203;aanm](https://github.com/aanm)) - docs: adjust URL to latest stable Hubble CLI version (Backport PR [#&#8203;43777](https://github.com/cilium/cilium/issues/43777), Upstream PR [#&#8203;43745](https://github.com/cilium/cilium/issues/43745), [@&#8203;tklauser](https://github.com/tklauser)) - docs: Document hubble requirement on kernels with BPF\_EVENTS compiled in (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;44042](https://github.com/cilium/cilium/issues/44042), [@&#8203;EmilyShepherd](https://github.com/EmilyShepherd)) - docs: Update docsearch to v4.5.4 (Backport PR [#&#8203;44273](https://github.com/cilium/cilium/issues/44273), Upstream PR [#&#8203;44233](https://github.com/cilium/cilium/issues/44233), [@&#8203;joestringer](https://github.com/joestringer)) - Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;43481](https://github.com/cilium/cilium/issues/43481), [@&#8203;suunj](https://github.com/suunj)) - gitattributes: make install/kubernetes driver match more specific. (Backport PR [#&#8203;44056](https://github.com/cilium/cilium/issues/44056), Upstream PR [#&#8203;43943](https://github.com/cilium/cilium/issues/43943), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles)) - multicast: fix nil assignment to node configuration cell.Out map (Backport PR [#&#8203;43865](https://github.com/cilium/cilium/issues/43865), Upstream PR [#&#8203;40859](https://github.com/cilium/cilium/issues/40859), [@&#8203;ldelossa](https://github.com/ldelossa)) - workflows: Add id-token permission to call-publish-helm job (Backport PR [#&#8203;43777](https://github.com/cilium/cilium/issues/43777), Upstream PR [#&#8203;43717](https://github.com/cilium/cilium/issues/43717), [@&#8203;aanm](https://github.com/aanm)) **Other Changes:** - .github/workflows: remove stable from v1.18 branch ([#&#8203;44153](https://github.com/cilium/cilium/issues/44153), [@&#8203;aanm](https://github.com/aanm)) - \[v1.18] Backport setup gke cluster ([#&#8203;43793](https://github.com/cilium/cilium/issues/43793), [@&#8203;Artyop](https://github.com/Artyop)) - install: Update image digests for v1.18.6 ([#&#8203;43714](https://github.com/cilium/cilium/issues/43714), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.7@&#8203;sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.7@&#8203;sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.7@&#8203;sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.7@&#8203;sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.7@&#8203;sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.7@&#8203;sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.7@&#8203;sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.7@&#8203;sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7` ##### operator `quay.io/cilium/operator:v1.18.7@&#8203;sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Ny4wIiwidXBkYXRlZEluVmVyIjoiNDMuODYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

renovate added 1 commit 2026-02-10 01:06:06 +01:00

chore(deps): update helm release cilium to v1.19.0 4021242ce7

renovate force-pushed renovate/cilium-1.x from 4021242ce7 to 9beedf8376 2026-02-17 20:01:25 +01:00 Compare

renovate changed title from chore(deps): update helm release cilium to v1.19.0 to chore(deps): update helm release cilium to v1.19.1 2026-02-17 20:01:40 +01:00

renovate force-pushed renovate/cilium-1.x from 9beedf8376 to da539eeb93 2026-03-23 12:01:50 +01:00 Compare

renovate changed title from chore(deps): update helm release cilium to v1.19.1 to chore(deps): update helm release cilium to v1.19.2 2026-03-23 12:02:02 +01:00

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/cilium-1.x:renovate/cilium-1.x

git checkout renovate/cilium-1.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main

git merge --no-ff renovate/cilium-1.x

git checkout renovate/cilium-1.x

git rebase main

git checkout main

git merge --ff-only renovate/cilium-1.x

git checkout renovate/cilium-1.x

git rebase main

git checkout main

git merge --no-ff renovate/cilium-1.x

git checkout main

git merge --squash renovate/cilium-1.x

git checkout main

git merge --ff-only renovate/cilium-1.x

git checkout main

git merge renovate/cilium-1.x

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wheatley/kubernetes#16

No description provided.