chore(deps): update helm release cilium to v1.18.0

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	minor	1.17.3 -> 1.18.0

---

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

cilium/cilium (cilium)

v1.18.0: 1.18.0

Compare Source

We are excited to announce the Cilium 1.18.0 release!

A total of 3298 new commits have been contributed to this release by a growing community of over 955 developers and over 22,000 GitHub stars! ⭐

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.18.0:

🚠 Networking

• ⚖️ Load Balancing Redesign: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features (cilium/cilium#38469, @​joamaki)
• 🔌 Virtual Network Devices: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels (cilium/cilium#37723, @​ldelossa; cilium/cilium#37346, @​gyutaeb)
• Ⓜ️ Multiple Egress Gateways: Egress Gateways policies can now direct traffic towards multiple gateway nodes (cilium/cilium#39304, @​carlos-abad)
• 🚦 Ingress Rate Limiting: The bandwidth manager now supports ingress rate limiting (cilium/cilium#36351, @​l1b0k)
• 📢 Multi-Device L2 Announcements: The L2 pod announcement feature now supports multiple devices (cilium/cilium#38198, @​dylandreimerink)
• 🏢 Neighbor Subsystem Rework: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state (cilium/cilium#39987, @​dylandreimerink)

🌐 IPv6

• 🚇 Tunneling Underlay: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption (cilium/cilium#38296, cilium/cilium#39497, @​pchaigno)
• 💬 Kube Proxy Replacement: Cilium now implements service translation when running on an IPv6 underlay (cilium/cilium#39074, @​pchaigno)
• 📋 Delegated IPAM: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 (cilium/cilium#38249, @​caorui-io, @​kadevu)
• 📦 IP Fragment Support: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality (cilium/cilium#38110, @​gentoo-root)
• 🚪 Egress gateway policies can now match IPv6 address ranges (cilium/cilium#38452, @​rgo3)

🛡️ Policy & Observability

• 🏷️ Policy Names in Hubble-CLI: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble (cilium/cilium#39453, @​antonipp)
• 📝 Policy Log Fields: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching (cilium/cilium#39902, @​squeed)
• 🛰️ Encapsulated Traffic Decoding: Hubble decodes encapsulated traffic for deeper introspection into traffic flows (cilium/cilium#37634, @​kaworu)
• 🏰 ClusterMesh Policy Restriction: A new option allows the cluster entity to apply only to the local cluster in ClusterMesh environment (cilium/cilium#39338, @​MrFreezeex)
• ✨ Enhanced Policy Dashboard: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions (cilium/cilium#36492, cilium/cilium#37445, @​squeed)

🌅 Performance

• 📊 Scale Test Results: Cilium implements policies and services up to 45% faster in higher scale environments (Various; @​marseel, cilium/cilium#40227)
• 📦 Image Size Reduction: Docker image sizes are reduced by 32% on arm64 architecture images (cilium/cilium#40005, @​marseel)
• ⚡ Improved Policy Performance: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized (cilium/cilium#39340, @​squeed; cilium/cilium#40414, @​marseel)
• 🪞 EndpointSlice Mirroring for Multi-Cluster Services: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller (cilium/cilium#38596, @​MrFreezeex)
• 🌐 KVStoreMesh Optimization: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value (cilium/cilium#36471, @​HadrienPatte)
• 🧠 Egress Gateway Processing: Egress gateway policy processing is significantly improved when matching a large number of pods (cilium/cilium#37714, @​giorio94)
• 🗑️ Optimized Garbage Collection for Connection Tracking: Cilium leverages batched iterators for CTMap GC (cilium/cilium#36288, @​tommyp1ckles)

⚙️ Operations

• 📈 API Server Connections at Scale: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations (cilium/cilium#37601, @​aditighag; cilium/cilium#38031, @​orange30; cilium/cilium#36648, @​wedaly)
• 🔄 ConfigMap Synchronization: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration (cilium/cilium#36510, @​ovidiutirla)
• 🎓 CRD Promotion to Stable: Promote CiliumCIDRGroup, CiliumLoadBalancerIPPool and all BGP CRDs to stable API (cilium/cilium#38940, @​christarazi; cilium/cilium#39090, @​pippolo84; cilium/cilium#37765, @​rastislavs)
• ⛔ Node Taints Handling: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node (cilium/cilium#40137, @​Murat Parlakisik)
• :wood: Migrate to Slog: Cilium now uses slog as log library for all components (cilium/cilium#39664, @​aanm)
• 🔧 Cilium dependencies were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 (cilium/cilium#39124, cilium/cilium#40175, cilium/cilium#39632, @​sayboras; cilium/cilium#38868, @​squeed)
• 🐧 Minimum Linux Requirements: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 (cilium/cilium#38308, @​julianwiedmann)

🕸️ Service Mesh & Gateway API

• ⛩️ Gateway API v1.3.0: Gateway API support is bumped to v1.3.0 (cilium/cilium#39590, @​sayboras)
• 🔗 Improved GatewayClass Configuration: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations (cilium/cilium#37792, cilium/cilium#37402, cilium/cilium#40138, @​sayboras)
• 🚏 Multiple HTTPRoutes: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service (cilium/cilium#39922, @​youngnick)
• 🪄 Route Changes Reconciliation: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things (cilium/cilium#37798, @​sayboras)

🏷️ IP Address Management

• ☁️ AWS Prefix Delegation: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode (cilium/cilium#39678, @​41ks)
• 🏬 Multi-Pool IPAM with KVStore: Add support for Multi-Pool IPAM in external KVstore mode (cilium/cilium#39638, @​pippolo84)
• 🔐 Multi-Pool IPAM with IPSec: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode (cilium/cilium#39442, @​pippolo84)
• ↪️ Multi-Pool Tunnel Routing: Add support for tunnel routing in multi-pool IPAM mode (cilium/cilium#38483, @​pippolo84)

🛣️ BGP

• 📇 Route Aggregation: Add support for BGP route aggregation in the control plane (cilium/cilium#37275, @​romanspb80)
• 🎯 Overlapping Selector Matches: Support overlapping selector matches in CiliumBGPAdvertisement resources (cilium/cilium#36414, @​dswaffordcw)
• 🆔 New Router ID generation modes: Generate router-id based on MAC addresses, or from an IP address pool (cilium/cilium#36451, @​yushoyamaguchi; cilium/cilium#38300, @​liyihuang)

🧑‍💻 Development Experience

• 🧪 Test attribution: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems (cilium/cilium#37027, @​Joe Stringer)
• 🛏️ Policy REST API: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred (cilium/cilium#40212, @​squeed)
• 🏗️ Feature Deprecation: Deprecate underused features like Custom Calls, Recorder API and External Workloads (cilium/cilium#38480, cilium/cilium#39642, cilium/cilium#37418, @​brb)

🏢 Community

• ❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • ByteDance, Canopus Networks, Corner Banca, DB Schenker, eBay, ECCO, G-Research, Social Network Company, and Preferred Networks
• 🇬🇧 London Events: The community gathered at CiliumCon and the Cilium Developer Summit in London
• 🇺🇸 Atlanta Events: Meet us at the upcoming CiliumCon and Cilium Developers Summit in Atlanta, Georgia
• 👥 SIG Community Meetings: SIG Community now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community

📔 Full CHANGELOG

• Full CHANGELOG.md can be found here.

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people_holding_hands: ❤️

v1.17.6: 1.17.6

Compare Source

Summary of Changes

Minor Changes:

• helm: KPR subflag changes (Backport MR #​40222, Upstream MR #​39721, @​brb)

Bugfixes:

• Deny policies are now synced to Envoy so that they can be enforced for Ingress policies. (Backport MR #​40187, Upstream MR #​39736, @​jrajahalme)
• Do not fail the agent startup in case IPv6 support is enabled and the node does not have an IPv6 address assigned yet (Backport MR #​40205, Upstream MR #​40143, @​pippolo84)
• Fix bug preventing a global service from including remote backends, if the local service has no selector, and the remote one gets removed and then added again. (#​40361, @​giorio94)
• Fix data race involving DumpReliablyWithCallback map operation. (Backport MR #​40094, Upstream MR #​38590, @​aditighag)
• Fix IPAM IP release racing condition when IP reassigned back to ENI (Backport MR #​40289, Upstream MR #​40019, @​victorcq)
• hubble automatically pick the hubble-prefer-ipv6 to true if ipv4 not enabled (Backport MR #​40289, Upstream MR #​40210, @​chengjoey)
• LBIPAM: Fix deletion of CiliumLoadBalancerIPPool with multiple IP blocks that led to an operator crash (Backport MR #​40094, Upstream MR #​40013, @​pippolo84)
• pkg/egressgateway: ensure gateway IP is IPv4 (Backport MR #​40332, Upstream MR #​40209, @​rgo3)
• policy: fix error handling for selector policy resolution (#​40404, @​fristonio)

CI Changes:

• ci: do not run north-south conn disrupt tests for 5.4 kernels (#​39443, @​ldelossa)
• ci: fix north-south conn disrupt for 5.4 kernel (#​40434, @​smagnani96)

Misc Changes:

• .github/workflows: remove reviewers if ciliumbot approved MR (Backport MR #​40094, Upstream MR #​39989, @​aanm)
• auto-approve: add repository as part command (Backport MR #​40094, Upstream MR #​40050, @​aanm)
• auto-approve: add repository as part command (Backport MR #​40332, Upstream MR #​40089, @​aanm)
• chore(deps): update all github action dependencies (v1.17) (#​40158, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​40044, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​40458, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.5 (v1.17) (#​39948, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.5 (v1.17) (#​40424, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68 (v1.17) (#​40466, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​40157, @​cilium-renovate[bot])
• cilium: fix socket termination for v4-in-v6 clients (Backport MR #​40295, Upstream MR #​39994, @​borkmann)
• contrib/git: add merge drivers to automate post-merge commands (Backport MR #​40289, Upstream MR #​40189, @​aanm)
• disk-cleanup: parallelize cleanup process to speed up step (Backport MR #​40094, Upstream MR #​40054, @​aanm)
• doc:ipsec:kvstore: explicit limitations that could lead to staling XFRM states and no connectivity (Backport MR #​40176, Upstream MR #​39719, @​smagnani96)
• docs/ipsec: Fix incorrect statement on hostns encryption (Backport MR #​40176, Upstream MR #​40133, @​pchaigno)
• Makefile: Require API generation commands to succeed (Backport MR #​40205, Upstream MR #​40199, @​joestringer)
• operator/secretsync: silence reconciliation logs (Backport MR #​40289, Upstream MR #​40217, @​tklauser)
• proxy: Use upstream envoy control plane API (Backport MR #​40216, Upstream MR #​39672, @​sayboras)
• v1.17: helm: Restore hostPort.enabled flag (#​40480, @​brb)

Other Changes:

• [v1.17] deps: Update cilium-envoy image to 1.33.x (#​40088, @​sayboras)
• Backport: kube-proxy-healthz to return 503 if node terminating (#​40317, @​tamilmani1989)
• Bpf datapath TCP conntrack entries are (re)created only in the forward direction, solving an issue with freezing proxy connections when backend connection is re-opened. (#​40448, @​jrajahalme)
• envoy: Bump cilium-envoy to the latest v1.33.x (#​40368, @​sayboras)
• install: Update image digests for v1.17.5 (#​40117, @​cilium-release-bot[bot])
• proxy: Bump envoy version to the latest v1.33.x (#​40181, @​sayboras)
• v1.17: docs: Document encapsulation options (#​40471, @​pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.6@​sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353 quay.io/cilium/cilium:stable@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.6@​sha256:f619e97432db427e1511bf91af3be8ded418c53a353a09629e04c5880659d1df quay.io/cilium/clustermesh-apiserver:stable@sha256:f619e97432db427e1511bf91af3be8ded418c53a353a09629e04c5880659d1df

docker-plugin

quay.io/cilium/docker-plugin:v1.17.6@​sha256:2d6175582c036dde241448b2b937353ce304d7a30eec9b66e96279b4b39c4f36 quay.io/cilium/docker-plugin:stable@sha256:2d6175582c036dde241448b2b937353ce304d7a30eec9b66e96279b4b39c4f36

hubble-relay

quay.io/cilium/hubble-relay:v1.17.6@​sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60 quay.io/cilium/hubble-relay:stable@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.6@​sha256:5352e670719dc61f059c1e1a04bc0563c2144738386fa7236dc167ff3fef4c64 quay.io/cilium/operator-alibabacloud:stable@sha256:5352e670719dc61f059c1e1a04bc0563c2144738386fa7236dc167ff3fef4c64

operator-aws

quay.io/cilium/operator-aws:v1.17.6@​sha256:24db5c811e24e51e7ce166e8e056967875bf3544cc2ead6984f34f705fe71847 quay.io/cilium/operator-aws:stable@sha256:24db5c811e24e51e7ce166e8e056967875bf3544cc2ead6984f34f705fe71847

operator-azure

quay.io/cilium/operator-azure:v1.17.6@​sha256:1b7e193ccbc718f723993a0f11eb8fbf16376e822fe8c4dc792d7696701d57c8 quay.io/cilium/operator-azure:stable@sha256:1b7e193ccbc718f723993a0f11eb8fbf16376e822fe8c4dc792d7696701d57c8

operator-generic

quay.io/cilium/operator-generic:v1.17.6@​sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096 quay.io/cilium/operator-generic:stable@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096

operator

quay.io/cilium/operator:v1.17.6@​sha256:e7b41cdba20875f8a6595eca1baf1cff1b8367417cffa99be7b1b9b0a11ab677 quay.io/cilium/operator:stable@sha256:e7b41cdba20875f8a6595eca1baf1cff1b8367417cffa99be7b1b9b0a11ab677

v1.17.5: 1.17.5

Compare Source

Summary of Changes

Bugfixes:

• aws/ENI: Only use pagination when not specifying IDs (Backport MR #​39564, Upstream MR #​39120, @​HadrienPatte)
• Fix connections to deleted service backends not getting terminated in certain cases involving services with multiple protocol ports. (Backport MR #​39564, Upstream MR #​37745, @​foyerunix)
• Fix handle_policy_egress programs not being cleaned up during endpoint teardown (Backport MR #​39685, Upstream MR #​39560, @​ti-mo)
• Fixed bug where datapath is unable to compile when active connection tracking and IPv6 are enabled at the same time. (Backport MR #​39564, Upstream MR #​39509, @​dylandreimerink)
• Fixes a bug where a CIDRRule of 0.0.0.0/0 would not select all external traffic. (Backport MR #​39765, Upstream MR #​39693, @​squeed)
• gateway-api: Use original source address for GAMMA (Backport MR #​39685, Upstream MR #​39206, @​sayboras)
• helm/hubble: Fix wrong value for metrics server tls existingSecret (Backport MR #​39685, Upstream MR #​39668, @​devodev)
• install/kubernetes: change mapDynamicSizeRatio from number to string (Backport MR #​39963, Upstream MR #​39834, @​aanm)
• operator: skip retry of node taint update when node not found (Backport MR #​39564, Upstream MR #​39517, @​jshr-w)
• Persist parent interface index of endpoint across agent restarts (Backport MR #​39765, Upstream MR #​39575, @​dylandreimerink)
• Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport MR #​39564, Upstream MR #​39511, @​jrajahalme)

CI Changes:

• bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport MR #​39564, Upstream MR #​39420, @​julianwiedmann)
• call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport MR #​39862, Upstream MR #​37362, @​Artyop)
• gh: e2e: enable secondary-network LB testing for all KPR=true configs (Backport MR #​39780, Upstream MR #​39718, @​julianwiedmann)
• gh: eks: restore concurrent execution of connectivity tests (Backport MR #​39685, Upstream MR #​39673, @​julianwiedmann)
• Re-optimize CI build process (Backport MR #​39862, Upstream MR #​39802, @​aanm)

Misc Changes:

• .github/workflows: remove cilium-cli from build-go-caches (#​39801, @​aanm)
• [v1.17] bpf: host: don't detect WG traffic in from-netdev@cilium_wg0 (#​38233, @​julianwiedmann)
• Add a section to talk about the native routing masquerading in the cloud environment. (Backport MR #​39564, Upstream MR #​39343, @​liyihuang)
• bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED (Backport MR #​39685, Upstream MR #​39558, @​julianwiedmann)
• bpf: Skip lxc src IP check for proxy traffic (Backport MR #​39564, Upstream MR #​39530, @​sayboras)
• bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets (Backport MR #​39652, Upstream MR #​39651, @​smagnani96)
• chore(deps): update all github action dependencies (v1.17) (#​39476, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​39704, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​39570, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​39687, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​39821, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​39879, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v31 (v1.17) (#​39607, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v31.1 (v1.17) (#​39951, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 4c0a181 (v1.17) (#​39725, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 81bf592 (v1.17) (#​39822, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.3 docker digest to 86b4cff (v1.17) (#​39605, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to 188ddfb (v1.17) (#​39606, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.4 (v1.17) (#​39949, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749031919-98c55b1d0c1154fb6c9e760583c2dcd7778686e2 (v1.17) (#​39886, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626 (v1.17) (#​39935, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​39703, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​39950, @​cilium-renovate[bot])
• HELM: Adding Label Support to clustermesh apiserver service (Backport MR #​39564, Upstream MR #​39520, @​camrossi)
• mtu/endpoint_updater.go: Check for unix.EINVAL not os.ErrInvalid (Backport MR #​39862, Upstream MR #​39658, @​dylandreimerink)
• mtu: Catch expected error in endpoint MTU updater (Backport MR #​39685, Upstream MR #​36596, @​dylandreimerink)
• pkg/fswatcher: Rewrite without underlying use of fsnotify (Backport MR #​39963, Upstream MR #​38537, @​glibsm)

Other Changes:

• [v1.17] chore(deps): revert etcd bump to v3.6.0 (#​39628, @​giorio94)
• [v1.17] vendor: Bump Hive and StateDB (#​39689, @​joamaki)
• install: Update image digests for v1.17.4 (#​39548, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.5@​sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6 quay.io/cilium/cilium:stable@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.5@​sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d quay.io/cilium/clustermesh-apiserver:stable@sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d

docker-plugin

quay.io/cilium/docker-plugin:v1.17.5@​sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb quay.io/cilium/docker-plugin:stable@sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb

hubble-relay

quay.io/cilium/hubble-relay:v1.17.5@​sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff quay.io/cilium/hubble-relay:stable@sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.5@​sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259 quay.io/cilium/operator-alibabacloud:stable@sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259

operator-aws

quay.io/cilium/operator-aws:v1.17.5@​sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3 quay.io/cilium/operator-aws:stable@sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3

operator-azure

quay.io/cilium/operator-azure:v1.17.5@​sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026 quay.io/cilium/operator-azure:stable@sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026

operator-generic

quay.io/cilium/operator-generic:v1.17.5@​sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e quay.io/cilium/operator-generic:stable@sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e

operator

quay.io/cilium/operator:v1.17.5@​sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4 quay.io/cilium/operator:stable@sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4

v1.17.4: 1.17.4

Compare Source

Summary of Changes

Minor Changes:

• Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport MR #​39260, Upstream MR #​34958, @​smagnani96)
• Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport MR #​38703, Upstream MR #​38458, @​joamaki)
• Update kafka apiKey helm chart value to true (Backport MR #​39214, Upstream MR #​38963, @​kyle-c-simmons)

Bugfixes:

• bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport MR #​39214, Upstream MR #​38916, @​julianwiedmann)
• Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport MR #​39377, Upstream MR #​39122, @​liyihuang)
• Fix a bug where a CiliumNetworkPolicy/CiliumClusterwideNetworkPolicy containing invalid rules would not be reported with invalid status. (Backport MR #​38948, Upstream MR #​38801, @​tklauser)
• Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport MR #​39404, Upstream MR #​39360, @​pasteley)
• Fix a deadlock when a host has no IPv4 address. (Backport MR #​39075, Upstream MR #​38938, @​EmilyShepherd)
• Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport MR #​39075, Upstream MR #​38890, @​pippolo84)
• Fix bug that would cause the cilium-dbg encrypt status command to not list any decryption interfaces when KPR is enabled. (Backport MR #​39214, Upstream MR #​39170, @​pchaigno)
• Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport MR #​39375, Upstream MR #​38841, @​nimishamehta5)
• gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport MR #​39377, Upstream MR #​38874, @​syedazeez337)
• gateway-api: Fix parentRefMatched to check Group and Kind (Backport MR #​39377, Upstream MR #​39275, @​syedazeez337)
• helm: fix hubble dynamic metrics config conflict (Backport MR #​39075, Upstream MR #​38893, @​devodev)
• ipsec: Fix key derivation error in case of corrupted boot IDs (Backport MR #​39214, Upstream MR #​39059, @​pchaigno)
• k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport MR #​38948, Upstream MR #​38779, @​marseel)
• wireguard:overlay: cleanup calls map when unused (Backport MR #​38899, Upstream MR #​38655, @​smagnani96)
• xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport MR #​38977, Upstream MR #​38654, @​marseel)

CI Changes:

• .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport MR #​39377, Upstream MR #​36398, @​dylandreimerink)
• [v1.17] l4lb: Support environments with existing veth (#​39408, @​joestringer)
• Align main and stable branch workflows for availability of cilium-cli (Backport MR #​38141, Upstream MR #​38138, @​joestringer)
• bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport MR #​39075, Upstream MR #​39060, @​julianwiedmann)
• ci-aks: Enable dual-stack in Conformance AKS (Backport MR #​39377, Upstream MR #​37704, @​gandro)
• gateway-api: Add translation tests for GAMMA (Backport MR #​39221, Upstream MR #​39207, @​sayboras)
• gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport MR #​39214, Upstream MR #​39111, @​julianwiedmann)
• gh: e2e-upgrade: generate config matrix from file (Backport MR #​39058, Upstream MR #​38512, @​julianwiedmann)
• gh: e2e-upgrade: minor log output improvements (Backport MR #​39058, Upstream MR #​38011, @​julianwiedmann)
• gh: use e2e-upgrade for IPsec minor upgrade testing (Backport MR #​39058, Upstream MR #​38757, @​julianwiedmann)
• gha: always respect the given image tag in the wait-for-images action (Backport MR #​38141, Upstream MR #​37901, @​giorio94)
• rate: Disable TestStressRateLimiter (Backport MR #​38896, Upstream MR #​38877, @​YutaroHayakawa)

Misc Changes:

• [v1.17] deps: bump CNI plugins version (#​39329, @​ferozsalam)
• [v1.17] deps: bump golang-jwt to 4.5.2 (#​39491, @​ferozsalam)
• Add the doc for multi-pool ipam about how to update the existing ip pool (Backport MR #​38948, Upstream MR #​38539, @​liyihuang)
• bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport MR #​38948, Upstream MR #​38768, @​julianwiedmann)
• bpf: nat: ICMP v4 improvements (Backport MR #​39332, Upstream MR #​36767, @​julianwiedmann)
• bpf:hubble: update trace/drop notify for L2-less packets (Backport MR #​39263, Upstream MR #​37097, @​smagnani96)
• chore(deps): update all github action dependencies (v1.17) (#​39183, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​39316, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.17) (#​38908, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.17) (#​39046, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (v1.17) (#​39314, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 6015f66 (v1.17) (#​39379, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.2 (v1.17) (#​39113, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.3 (v1.17) (#​39380, @​cilium-renovate[bot])
• chore(deps): update google/cloud-sdk docker tag to v518 (v1.17) (#​39048, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.17) (#​38909, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.17) (#​39047, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.17) (#​39226, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.17) (#​39248, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1746405645-719d708b1802ce417568d3eaae4c0677dd60e128 (v1.17) (#​39324, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.17) (#​39413, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38911, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38970, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​39182, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​39315, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​39475, @​cilium-renovate[bot])
• chore: remove retention-days param in build-images-releases.yaml (Backport MR #​39435, Upstream MR #​39431, @​sekhar-isovalent)
• cilium: Fix device controller's dependency on netfilter (Backport MR #​38948, Upstream MR #​38777, @​borkmann)
• cilium: Fix ipip device mtu (Backport MR #​38948, Upstream MR #​38682, @​borkmann)
• contrib/scripts: Fix IndexError in stacktrace script (Backport MR #​39214, Upstream MR #​39101, @​christarazi)
• contrib: Remove kind.sh dependency on git (Backport MR #​39377, Upstream MR #​39154, @​joestringer)
• docs: Add good kernel versions for the L7 policy IPv6 bug (Backport MR #​39377, Upstream MR #​39212, @​gentoo-root)
• docs: add warning about l7 policy and EnableDefaultDeny (Backport MR #​39075, Upstream MR #​38675, @​squeed)
• docs: Document L7 policy IPv6 bug (Backport MR #​38948, Upstream MR #​38591, @​gentoo-root)
• docs: Document that traffic to the VPC in ENI mode is not masqueraded (#​39156, @​liyihuang)
• docs: Fix casing and formatting in L3 examples section (Backport MR #​39377, Upstream MR #​39065, @​mikejoh)
• docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport MR #​39075, Upstream MR #​38821, @​zzuckerfrei)
• docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport MR #​39377, Upstream MR #​38886, @​auriaave)
• docs: Update hubble-metrics flag documentation (Backport MR #​39075, Upstream MR #​38960, @​HadrienPatte)
• Documentation : Modification of eks-clustermesh-prep.rst (Backport MR #​39214, Upstream MR #​39025, @​rwinieski)
• documentation: fix get deployment cmd (Backport MR #​39214, Upstream MR #​39155, @​g0gn)
• dynamiclifecycle: fix goroutine leak (Backport MR #​39214, Upstream MR #​39149, @​squeed)
• exclude the dummy device type when evaluating MTU, ensuring that local traffic does not interfere with MTU calculations. (Backport MR #​39214, Upstream MR #​38992, @​liyihuang)
• Fix LRU maps to streamline distributed LRU flag implementation with map prealloc handling (Backport MR #​39214, Upstream MR #​39087, @​borkmann)
• Fix map recreation loop when distributed lru setting is enabled (Backport MR #​39075, Upstream MR #​38978, @​borkmann)
• hubble:monitor: align TraceNotify to DropNotify (Backport MR #​39264, Upstream MR #​38830, @​smagnani96)
• ipsec: include ipv6 in v1.18 upgrade leak detection (#​38843, @​ldelossa)
• k8s/resource: Don't Add to WaitGroup asynchronously (Backport MR #​38948, Upstream MR #​38692, @​joamaki)
• make: fix golangci-lint version detection (Backport MR #​39075, Upstream MR #​38996, @​mhofstetter)
• Throw build bug when using TRACE_{FROM,TO}_CRYPTO from unexpected files and cleanup unevaluated build_bug_on. (Backport MR #​39260, Upstream MR #​38470, @​smagnani96)
• workflows: fix lint-workflows (Backport MR #​39403, Upstream MR #​39398, @​aanm)

Other Changes:

• [v1.17] k8s/statedb: Fix buffering order of objects (#​38585, @​joamaki)
• [v1.17] Stop TLS Interception config being included in preflight (#​39481, @​youngnick)
• bpf,encrypt: fixes the placement of a particular vxlan helper function (#​39088, @​ldelossa)
• install: Update image digests for v1.17.3 (#​38933, @​cilium-release-bot[bot])
• v1.17: Update Go version to 1.24 in go.mod (#​39128, @​pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.4@​sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a quay.io/cilium/cilium:stable@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.4@​sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d quay.io/cilium/clustermesh-apiserver:stable@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d

docker-plugin

quay.io/cilium/docker-plugin:v1.17.4@​sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa quay.io/cilium/docker-plugin:stable@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa

hubble-relay

quay.io/cilium/hubble-relay:v1.17.4@​sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441 quay.io/cilium/hubble-relay:stable@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.4@​sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6 quay.io/cilium/operator-alibabacloud:stable@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6

operator-aws

quay.io/cilium/operator-aws:v1.17.4@​sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753 quay.io/cilium/operator-aws:stable@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753

operator-azure

quay.io/cilium/operator-azure:v1.17.4@​sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1 quay.io/cilium/operator-azure:stable@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1

operator-generic

quay.io/cilium/operator-generic:v1.17.4@​sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5 quay.io/cilium/operator-generic:stable@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5

operator

quay.io/cilium/operator:v1.17.4@​sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f quay.io/cilium/operator:stable@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.